Reputation: 2323
SSL Security Error for some mobile users
I moved my website arvandkala.ir to https recently.
The problem is that some user (specially on mobile) get SSL pravicy Error
the user mobile clock is ok,
don't have a any mixing data on website.
firefox error code:
SEC_ERROR_UNKNOWN_ISSUER
the issuer is Certum and trusted by firefox.
Upvotes: 0
Views: 209
Answers (1)
Reputation: 38821
TLDR: it's the chain cert
You need to get the correct chain cert from the CA and configure it in your server.
Normally a CA provides the correct chain cert (or sometimes certs plural) when you buy or obtain your server cert, and also makes all its chain certs (usually several) available on its website, but since I don't know Polish and don't know any customers of your CA certum.pl I can't address these approaches here. Nowadays a common alternative is for the cert itself to specify a way to obtain its parent cert, in the caIssuers attribute in the AuthorityInfoAccess extension. This can be seen with many tools, including (at least) desktop browsers, OpenSSL (x509 -noout -text -in $file), and Java keytool (-printcert -v -file $file), and your cert does have it, pointing to http://repository.certum.pl/dvcasha2.cer . Fetching that URL with a tool that does not interpret the content (i.e. not a browser, but things like curl wget perl python or javascript) does yield the correct cert, in DER format.
Configuring your server varies hugely depending on the server, which you didn't identify. Your server identifies in a response as Server: Apache/2.4.7 (Ubuntu) but this could be falsified because some people consider that a good way to confuse attackers (not very) or mistaken because some other terminator is in front. If true, although there are other possibilities I'll assume the common default mod_ssl. The documentation for Apache 2.4 mod_ssl is located on the Apache website under docs / 2.4 / modules / mod_ssl . As this page tells you for 2.4.8 up you can include the PEM-format chain cert with the server cert in the file specified by SSLCertificateFile, but below that you must put them both in a file specified by SSLCertificateChainFile instead. This config (certificate including chain, plus privatekey) can be per virtualhost, or if you don't need them to be different it can be global. On Ubuntu the usual practice (though not mandatory) is to put each virtualhost config in a separate file under /etc/apache2/sites-available and link it under (same)/sites-enabled.
Since the certficate obtained from the CA was in DER format you must first convert it to PEM format. This can be done directly by OpenSSL with openssl x509 -inform der -in $derfile -out $pemfile or by numerous other programs that can import DER format and then write out PEM format (including at least Windows, Firefox/NSS, and Java).
Upvotes: 2
Related Questions
- SSL error on iOS mobile Chrome, Firefox, Safari
- SSL working in chrome but sometimes in Firefox and not on IOS, Android or Blackberry
- iOS allowed invalid certificate while android did not
- Invalid SSL Certificate error on iPod Touch - works for iPhone
- SSL certificate is not working in android mobile,iphone and Ipad
- Android SSL error: certificate not trusted…sometimes
- Android SSL error: certificate not trusted...sometimes
- SSL problem on iPhone
- Error of ssl certificate not trusted in Android
- ssl on android strange issue