SSL Certificate error : Invalid CA - ssl

Can someone explain why this site https://whatsmychaincert.com/?www.uts.edu.au gives an error in certificate chain:
An error occurred when building the chain for this certificate. The certificate might lack necessary meta-data or its certificate authority might be malfunctioning. Details:
The chain contains an untrusted certificate without standard CA issuer information (subject = "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"; issuer = "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"; error code = 20)
But if I test the same thing on other verification sites like: https://www.sslshopper.com/ssl-checker.html & https://www.digicert.com/help/ there are no issues reported ?
Will appreciate any help here.

This site whatsmychaincert is not trusting the root certificate because, as said in the error message, it doesn't know the issuer "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
However both other sites know this issuer and say the certificate is valid. When testing with SSL Labs that most people use to check that kind of things, it also says everything is ok ( https://www.ssllabs.com/ssltest/analyze.html?d=www.uts.edu.au ). SSL Labs gives lots of details, including all certificates sent by the web server, then you exactly see the behavior.

Related

why i get ssl misconfiguration error?

i installed the Ssl certificate on my server but i have this error
This server could not prove that it is spdns.ir; its security certificate is from vmi90749. This may be caused by a misconfiguration or an attacker intercepting your connection.
anyone can explain me what is the problem and how i should fix it ?
tnx
The error is quite self-descriptive. The certificate is issued to vmi90749 name, while you are trying to access a spdns.ir name. There is nothing common between them. You need to install a certificate that is issued to spdns.ir name and make sure it is issued by a trusted authority. Preferrably from a globally trusted CA vendor (there are CAs that issue certificates for free).
As aside note: when requesting new certificate for spdns.ir name, make sure that the name is added to Subject Alternative Names certificate extension. Google Chrome deprecated Subject field.

Cert unable to be installed in cpanel

I don't know much about this topic, but have a site (shared hosting) and want ssl for it. Got a certificate from letsencrypt (for both www and plain mydomain.com), they verified it successfully, so I put the cert and private key into the ssl config part of cpanel. Cpanel marked the inputs valid but then gave me the following error
The certificate could not be installed on the domain “mydomain.com”.
error Certificate verification failed!
Certificate verification failed:
unable to load certificate
140495454865312:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:812:
I have no idea what this means. Any help would be appreciated.
Got it working by making sure every line was exactly 64 characters long

Does the certificate need to be official or self signed?

I am putting a web test up for clients that visit "https://oursite.com/poodlesecurityfailed.js"
Question,
Do I need a valid certificate even though its on a test domain for certificate negotiation? If client can visit it, they failed the poodle test. (SSLv3 is enabled) on that host.
Ideas?
Do I need a valid certificate even though its on a test domain for certificate negotiation? If client can visit it, they failed the poodle test. (SSLv3 is enabled) on that host.
Depends on the client.
If the clients is has enough knowledge to understand, that "invalid certificate" when accessing the site means in reality that the client has still SSL 3.0 enabled, then a self-signed certificate would be enough.
If you instead want to provide an explanation of the problem at this site and don't expect the client to explicitly accept an invalid certificate just to see this explanation, then you should better use a properly trusted certificate.

Ruby Net HTTP Post: Certificate Verify Failed

Ruby 2.0, Rails 4.0.2
I have read a number of SO posts about the error I'm getting, and I'm still confused. Here's what I'm trying to do.
I'm running a Rails app on an Ubuntu server: https://rails.example.com. It has a PositiveSSL certificate for the domain from Comodo.
From within that Rails app, I'm trying to post data to a form on another one of my servers: https://api.example.com. It also has a PositiveSSL certificate.
Here's my code:
require 'net/http'
require 'uri'
uri = URI('https://app.pilotpro.com/scripts/migrate.php')
Net::HTTP.start(uri.host, uri.port,
:use_ssl => uri.scheme == 'https') do |http|
request = Net::HTTP::Get.new uri
response = http.request request
logger.info "::: #{response}"
end
This results in this error:
OpenSSL::SSL::SSLError at /test
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
I don't get any SSL errors when I view these sites in my web browser, but I think I'm supposed to do something to tell my request about the certificate on the API server, but I am unsure.
Can someone give me some direction on what steps I need to take to make this request not fail?
openssl s_client -connect app.pilotpro.com:443 -CApath /etc/ssl/certs/ gives:
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=app.pilotpro.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
That is the complete chain, which means, that your client expects to have PositiveSSL CA 2 as a trusted Root-CA in the CA store. But, this is not the case because this CA is just an intermediate CA so your HTTPS server should send all the intermediate CAs on the path to the trusted Root-CA.
So this is not a client-side, but a server-side problem. See also http://www.positivessl.com/ssl-certificate-support/cert_installation/apache-ssl.php
The reason you get no errors if you access it from browsers might be, that browsers cache intermediate CAs. So if the browser once connected to a host which provided the correct certificate chain it can from now on deal with hosts which omit the needed chain. With firefox you might try access with a fresh browser profile, which does not have any certificates cached.

SSL Certificated Validity

I'm using an SSL certificate from geotrust. I just ordered and installed it this weekend.
However when I try to access my website using https, firefox (and the other browsers as well) the browser warns that the certificate expired a few days ago.
I guess there could be two reasons:
I made a mistake during the installation of the certificate
Geotrust did not sign the certificate properly.
First I want to rule out the second reason considering my browser tells me the certificate expired a few days ago. This does not make sense at all.
Is there a way to extract the expiration date from the certificate?
Thanks!
Sure.... check the certificate in the browser. Click on the not valid warning / broken SSL symbol in the address bar, it should give you an option to view the certificate ;)
TomTom's answer is right on!
Just about any browser will let you see the details of the certificate. There's always a Valid From field and a Valid To field describing the cert's validity period.
Also - check the subject DN and issuer DN. The Subject DN describes your server, the Issuer DN describes the signer. The issuer should be GeoTrust - if the issuer is not GeoTrust, you are not configured correctly, you are likely to be using the cert that came with the web server.