I have tried Google Certificate-Transparent-Go to build up a CT-Log server, but can not build successfully.
Every CT-Log server do NOT support to post a SSL cert signed by a self-signed CA.
Is there have any plans to support CT in unauthoritative CA?
This question already has answers here:
SSL working in chrome but sometimes in Firefox and not on IOS, Android or Blackberry
(2 answers)
Closed 1 year ago.
I've put together a Linux (Centos 7) server to serve eye-n-sky.net.
Serving content from that site to browsers on Win10 and Linux systems works beautifully. However, when I use openssl to access the site,
openssl s_client -connect eye-n-sky.net:443
the site certificate is rejected,
Verify return code: 21 (unable to verify the first certificate)
I've concluded that the way a browser verifies the certificate is different from what openssl does. Am I on the right track?
I've tested this on three different openssl instances (Debian, Centos, FreeBSD) and have consistent results.
Openssl as a client to other sites, e.g. www.godaddy.com, microsoft.com, work fine, being able to verify the certificate against the installed CA chain.
Believing that I was missing a CA cert, I used the -CAfile option to specify the possibly missing cert, to no effect.
What am I missing? I'm guessing that openssl has a stricter verification discipline, but I don't know where that gets configured.
Thanks,
Andy
Summary: yes, eye-n-sky was providing only it's cert when it needed to include the intermediate and root certs.
However, it took me forever to figure out that my Apache version did not support including the chain in the server cert file. Instead, I had to provide the chain file separately in an SSLCertificateChainFile directive.
OpenSSL's command-line s_client utility has nothing built in to validate the server's certificate. Browsers have a built-in list of trusted certificates to verify the server certificate against.
You have to supply the trusted certificates using options such as -CAfile file or -CApath directory. Per the OpenSSL 1.1.1 s_client man page:
-CApath directory
The directory to use for server certificate verification. This
directory must be in "hash format", see verify(1) for more
information. These are also used when building the client certificate
chain.
-CAfile file
A file containing trusted certificates to use during server
authentication and to use when attempting to build the client
certificate chain.
Note the use of words such as "certificate chain". If you go to godaddy.com you'll see that the server's cert is for *.godaddy.com, but it was signed by Go Daddy Secure Certificate Authority - G2, and that intermediate certificate was signed by Go Daddy Root Certificate Authority - G2 - a different certificate. There's a total of three certificates in that chain.
Verify return code 21 is "no signatures could be verified because the chain contains only one certificate and it is not self signed", so if your CA file only had the certificate from Go Daddy Root Certificate Authority - G2 and not the one from Go Daddy Secure Certificate Authority - G2, OpenSSL would see from the server's cert itself that it was signed by Go Daddy Secure Certificate Authority - G2 and could go no further - it doesn't have that cert to see who signed it.
PayPal recently announced that they upgrade the certificate to SHA-256 with VeriSign G5 Root Certificate.
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US
Does AppHarbor have this root certificate installed?
Does it support SHA-256?
Thank you
Yes SHA-256 is supported, and root certificates are updated regularly and automatically. I can also confirm that the VeriSign G5 Root Certificate mentioned in the PayPal article is installed and trusted on the platform.
I am not very familiar with the SSL Certificates and how they work.
However I succeed to install a SSL Certificate via cPanel of my shared hosting.
Please checkout this page: https://www.sportsdirect.bg/customer/account/create/
As you can see there is a problem with the certificate.
The padlock in the browser URL address is not green. Can you please tell me what can be the reason for this and how I can fix it ?
Off topic for this site.
Your web server is not properly configured to deliver the full certificate chain, see https://serverfault.com/questions/633247/ssl-error-on-mobile-devices .
Check your SSL Labs report and you will see Chain Issues: Incomplete. Your intermediate certificate:
RapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
RSA 2048 bits (e 65537) / SHA256withRSA
... is not in your server's trust store and is not being served. Take a look at How to install an Intermediate CA cert in Apache.
Does anyone know how to set up a Symantec EV SSL Certificate on Heroku? I'm super confused at the moment. They offer me download of an X.509 Cert and a PKCS7 Cert. In addition, I can download Apache Bundle, Plesk Bundle, Certificate Issuer, or Intermediate CA 1. I'm lost.