Transfered SSL Certificate to Rackspace Cloud Server - Occasional Error

Question

Okay, I recently tranfered my Comodo SSL certificate from my previous Bluehost account to my new rackspace cloud server. (LAMP stack)

Basically I just copy pasted the server cert and key and checked to make sure it was properly installed which it was. Now I am running into some issues, occasionally I will hear from people that they are getting an 'Untrusted Connection Error' while others are not getting this error at all.

Recently someone sent me a screen shot of their error and it said: This Certificate is not trusted because no issuer chain was provided.

The browser they noticed this on was safari so I cleared all my history data in safari and opened the site but I am not seeing that error.

Does anyone have any idea how to fix something like this? Thanks!

When I enter openssl s_client... i get:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=Hosted by BlueHost.Com, INC/OU=PositiveSSL/CN=www.sitename.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

Answer 1

You most likely lack the 'chain' or inter mediate certificates (which some people may have in their browser, and some not).

The easiest way to resolve this is by looking at the issuer details on your certificate; and finding that certificate. Then look at the issuer details of that cert - until you hit the 'root' - which is a self signed certificate (subject identical to issuer).

Once you've got them all concatenate them in a file and point SSLCertificateChainFile at that.

Your httpd.conf then looks like

   SSLEngine on
   SSLCertificateKeyFile    .../your-key.key
   SSLCertificateFile       .../your-cert.pem
   SSLCertificateChainFile  .../ca-bundle.pem

Some CA's make this file available as a 'ca-bundle' (https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1203) when they issue a cert. Most don't.

So in that case you'll need to create it. Doing

openssl x509 -in <your cert.pem> -noout -issuer

will get you the exact issuer string. Googling for it generally gives you the intermediate cert you need (usually at the support site of your CA). Once you have that - repeat above and keep going at it until you are at the final one -- where issuer is identical to subject.

Once done - restart the webserver and that should be it.

If you want to verify you got the whole chain - then use the command

openssl s_client -connect <your domain name>:443

and check that the output starts with:

0 s:/C=GB/OU=Domain Control Validated/CN=<your domain>
  i:/C=BE/O=Comodo/CN=Comodo foobar
....
3 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
  i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

and at least has one entry (3 in above example) where you have a final root; the S is identical top the i. If you just see a single entry

0 s:/C=GB/OU=Domain Control Validated/CN=<your domain>
  i:/C=BE/O=Comodo/CN=Comodo foobar

and nothing more - then check your chain again - and make sure that it contains a cert with a subject identical to your issuer (in above example '/C=BE/O=Comodo/CN=Comodo foobar').

You can check this by parsing each blob in your bundle with

 openssl x509 -noout -in file.pem -subject -issuer

where file.pem is one chunk of your SSLCertificateChainFile file.

Caveat: Above is a slight simplification - some Chains may have multiple roots/cross-signing. In that case it gets a bit more complex - but follows above example.