I've been getting this error for a long while:
POST to https://www.xxxxxx.com/hook/mandrill/quotations/opened failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I got my certificates re-newed by Comodo recently & ever since, I've been getting these errors.
It still seems to work though, but I'm worried some of the webhooks might not get through.
Is someone getting these errors as well? Might it be a problem on their side? Cause I have checked my website on https://www.sslshopper.com/ssl-checker.html and it's seems to be perfectly fine..
Also I'm hosting my website on Amazon
Thanks
This is an issue with your installed SSL certificate. You most likely did not combine the .crt file and the .ca-bundle file they provided to you and only installed the .crt file. Comodo provides the following two files in the zip package they make available to you:
_yourdomain_com.crt
_yourdomain_com.ca-bundle
The .ca-bundle includes all your intermediate certificates. You need to combine the contents of the two above files together. Your output .crt file would look something like:
-----BEGIN CERTIFICATE-----
contents of original crt file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 1st cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 2nd cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
etc...
-----END CERTIFICATE-----
You must list the original certificate as the first certificate in the output file. Then comes the intermediate certificates in your bundle.
Replace the .crt file that your server is pointing to with the above output .crt file. No need to change any of the web server configurations for either Apache or Nginx - both support bundled certificates. Make sure to restart your web server once the changes are made.
Before you make any of the above changes, you can actually see whether or not the missing .ca-bundle is causing your error by running a SSL test against your domain. In the results section after the test finishes, look for Additiona Certificates. The results will state that you are missing certificates if you do not have the appropriate intermediate certificates in your .crt file.
Related
I need to make a request to a soap service and it is protected with certificates.
I have installed the certificates as far as I am able to tell. However the soap request fails with handshake errors.
I have a bunch of certificate files given to me but I have no idea which ones are which.
So I have as follows (names changed to protect information)
MyCertificationAuthority.pem
MyCert.pem
MyCert2.pem
then I have what looks to be the same things in a different format.
MyCertificationAuthority.p7b
MyCert.p7b
then I have a single file named MyCert.pem but is smaller in file size than the other one of the same name and contains simply
-----BEGIN NEW CERTIFICATE REQUEST----- a lot of characters
-----END NEW CERTIFICATE REQUEST-----
I was told that this was the private key file, however if I check it using
openssl rsa
then it errors.
I have double clicked on the p7b files and installed the certificates in them using the default options and I have those certificates in the Certificate Management app in windows.
3 are in the Third Part Certification Authorities folder
1 ended up in the Other People folder (which I have also copied into the Trusted Root Certification Authorities Folder)
4 have ended up in the Intermediate Certification Authorities Folder
All were installed for local computer rather than current user.
Now I am led to believe I should have a private key file too. However I can not find where this could be.
What am I doing wrong? Where would I normally get the private key file from?
I would have thought the service side has the private key in order to verify that our certificate is valid?
MyCert.pem is as follows (with the actual data removed for privacy reasons)
subject=CN=********************** issuer=CN=************************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----- subject=CN=**************** issuer=CN=*****************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN=********************** issuer=CN=***********************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I am wondering if anyone has any experience with Zevenet Load Balancers.
I have setup the community version (V4). I have 2 web servers with replicated content, I have a virtual IP setup in the system which points to the 2 IP addresses of the web servers. The load balancer works for HTTP and HTTPS traffic correctly but shows an cert error when trying to get to the servers via HTTPS.
I want to combat this by adding a certificate to the load balancer. To do this I have followed the these steps:
https://www.zevenet.com/knowledge-base/howtos/manage-certificates-with-zen-load-balancer/ (ignoring the bit about purchasing a cert from SofIntel as we use JISC for our Certs)
Basically I created a certificate in the load balancer, generated the CSR, purchased a certificate from JISC by uploading the CSR generated from the load balancer.
I then downloaded the ZIP file from JISC which contains the crt for the domain, as well as the root certificates required also in the ZIP.
I tried uploading the ZIP to the load balancer and it pops up an error showing that the certificate needs to be created in a PEM format.
I then found this here:
https://www.zevenet.com/knowledge-base/howtos/create-certificates-pem-format/
I am not really sure what this is asking me to do....does this mean the original CSR that I generated is irrelevant now? The instructions on the above link say that the PEM file needs to be the following:
-----BEGIN RSA PRIVATE KEY----- Private Key (without passphrase) -----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- Certificate (CN=www.mydomain.com) -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Intermediate (Intermediate CA, if exists) -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Root (ROOT CA, who signs the Certificate) -----END CERTIFICATE-----
Essentially I already have the domain certificate, the intermediate and the root all from JISC now. But is there any way can go about getting the Private key from the load balancer so that I can just create the PEM file manually.
I am pretty new to cert stuff, not sure why it wont just let me upload the zip file.
I'm trying to install an intermediate certificate on Nginx ( laravel forge ).
Right now the certificate is properly installed, just the intermediate that is missing.
I've seen that I need to concatenate the current certificate with the intermediate. What is the best/safest way to add the intermediate certificate.
Also, if the install of the intermediate failed, can I just roll back to the previous certificate, and reboot nginx? ( the website site is live, so I can't have a too long downtime )
Nginx expects all server section certificates in a file that you refer with ssl_certificate. Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this.
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com to /etc/hosts, and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.
When you're done, it is a good idea to use some SSL checker tool to verify (e.g. this one). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.
Edit
As #Martin pointed out, the order of certificates in the file is important.
RFC 4346 for TLS 1.1 states:
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it.
Thus the order is:
1. Your domain's certificate
2. Vendor's intermediate certificate that certifies (1)
3. Vendor's intermediate certificate that certifies (2)
...
n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.
Letsencrypt: fullchain.pem
Same trouble for me. I was using Letsencrypt and, in my Nginx configuration, I needed to NOT use this:
ssl_certificate /etc/letsencrypt/live/domain.tld/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
But use this:
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
I'm using Amazon Load Balancer with SSL configuration. everything when fine except on Firefox that show the exception page. It looks not self to user.
This article suggest to put the Certificate Chain to the configuration section.
My SSL provider is Comodo (InstantSSL). They provide two files .crt and .ca-bundle only.
How can i generate the Certificate Chain?
You can cat the .crt and the .ca-bundle file together. That's what we wound up doing using a service called OpDemand, which is backed by AWS.
cat certfile.crt bundle.ca-bundle >> chain.crt
chain.crt should be the file you're looking for. Also, the order is important. The certificate.crt file has to be first.
Use Root.crt and Intermediate.crt content and arrange them in following order. you can create this file manually as well
-----BEGIN CERTIFICATE-----
<Root content>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate content>
-----END CERTIFICATE-----
More Information
Comodo should provide you with the Certificate Chain. This is not something that you can generate yourself. A quick google looks like you should be able to download it from here: https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1
I am trying to add an SSL cert to Heroku. The cert was purchased from Network Solutions. I went through all of the steps and created a .csr file, uploaded that file to NetworkSolutions, downloaded their bundle of .crt files (MYSITE.crt, AddTrustExternalCARoot.crt, NetworkSolutionsDVServerCA.crt) and then combined the site cert & the intermediate certificate (AddTrustExternalCARoot.crt) bundles. When I try and add the final.crt file I produce to Heroku I get:
! Expires at can't be blank
! Pem is invalid
Using Preview I can clearly see that "Not Valid After" is set so I am not really sure what is going on here.
For what its worth I also tried combining NetworkSolutionsDVServerCA.crt with MYSITE.CRT & also combining all 3. All with no luck.
This kind of thing isn't my strong point (I am sure you can tell) so its very possible I am missing something but if you have any ideas on what it might be I would appreciate it.
Thanks
I faced the same problem today.
Below are the steps I followed to fix it.
Combine the certificate files in the below order (from the site
certificate to root certificate) into a .crt or .pem file. Lets assume you name it Mysite_combined.crt.
MySite.crt, NetworkSolutionsDVServerCA.crt, AddTrustExternalCARoot.crt
Open Mysite_combined.crt the content of the file will look like
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
..
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
Now, Insert line feed between each certificate. Make sure there is no white space or blank line in the edited file. The content should now look like
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Now add the certificate to Heroku using the command
heroku certs:add Mysite_combined.crt Mysite.key
Note: Since Network solution certificate does not have a pass code, you can ignore the steps to remove pass code in heroku site. If you use a key which has pass code refer to this article which details how to setup the SSL for heroku. You should do the step 2 above in any case.
Its likely their was an error in cat'ing your cert together with the intermediate. You should look to see that there was not a missing line break, or extra line breaks that may have caused the error.
I had this problem as well and in my case it turned out to be the order of the arguments. Apparently the heroku utility expects the .crt file to precede the .key file.
In other words:heroku certs:add server.crt server.key
When I got this error, I had to add a newline at the end of my site.crt before running this command:
$ cat site.crt ca_bundle.pem > final.crt