Sorry, you are right. The problem is that the Windows 7 certificate store does not have the Equifax root certificate out of the box (on Windows XP it does). The number of root certificates included with Windows 7 out of the box is actually quite low.
The machines where I tested this and got an error (Windows 7 and 2008) are fully updated (including the root certificates update). However they are behind a proxy server, and maybe the root certificates update doesn't work over a proxy server. I manually installed the root certificates update again (http://www.microsoft.com/downloads/en/ confirmation.aspx? familyId=e4f9b573-66d7-4dda-95d5-26c7d0f6c652&displayLang=en) with the machine connected directly to the internet and it populated the certificate store with the missing root certificates. I guess this is still a problem, but only for users that do not update or that are behind HTTP proxy servers (corporate users, mostly). Best regards, On Aug 27, 10:13 am, Carlos Rodrigues <[email protected]> wrote: > The Equifax certificate is there, but the problem is with the > intermediate CA's certificate (Google's), which isn't found. > > If it works for you on Windows 7, maybe you have Google's CA > certificate installed. This would certainly make the error go away, > but we can't ask users to do this (because most won't). > > @James: This is not a limitation of wildcard certificates because it > works on Firefox but also with all browsers I've tested on Windows XP > and OS X (including Safari, which shows the error on Windows 7). > > Best regards, > > On Aug 27, 2:36 am, Matthew Blain <[email protected]> wrote: > > > This works for me on Windows 7. It's possible that the root > > certificates on your Windows machine are somehow missing the Equifax > > Secure Certificate Authority root certificate (also sometimes listed > > as GeoTrust)? Have you edited your list? I see a suggestion online to > > also check Windows Updates to see if there's a certificate update, > > though I believe this is not a recent CA. > > > --Matthew > > > On Aug 26, 10:45 am, Robert Kluin <[email protected]> wrote: > > > > Interesting. You are right, I probably checked using a XP vm not a Win 7 > > > vm. > > > > On Thu, Aug 26, 2010 at 10:44, Carlos Rodrigues <[email protected]> > > > wrote: > > > > BTW, this is not a problem exclusive to GAE. The certificate for > > > > "code.google.com" also seems to have changed recently and I just got a > > > > warning from TortoiseSVN that the new certificate cannot be validated > > > > because the certificate chain is incomplete. > > > > > Best regards, > > > > > On Aug 26, 3:42 pm, Carlos Rodrigues <[email protected]> wrote: > > > >> Since the problem only happens with browsers that rely on Windows' > > > >> certificate infrastructure, the version of Windows matters. > > > > >> I've tested with IE 8 on Windows 7 and Windows Server 2008 and the > > > >> problem occurs; > > > >> I've also tested with IE 7 on Windows XP and Windows Server 2003 and > > > >> the problem does not occur; > > > > >> I did not test with Windows Vista. > > > > >> It seems that older versions of Windows follow the certificate chain > > > >> (by downloading it from somewhere), while the more recent versions > > > >> only follow it if the webserver itself provides the intermediate CA's > > > >> certificate (as I said, I've tested with other sites that use > > > >> intermediate CAs and they show no errors - because the intermediate > > > >> CA's certificate is being provided by Apache using the option I > > > >> mentioned before). > > > > >> Best regards, > > > > >> On Aug 25, 10:19 pm, Robert Kluin <[email protected]> wrote: > > > > >> > I only get a certificate error if I go > > > >> > tohttps://test.xx.appspot.com. I do not get errors going > > > >> > tohttps://xx.appspot.com. > > > > >> > I tested with IE and Chrome and Windows. > > > > >> > Robert > > > > >> > On Wed, Aug 25, 2010 at 05:27, Carlos Rodrigues > > > >> > <[email protected]> wrote: > > > >> > > Hi again, > > > > >> > > Any ideas? This is a show-stopper as far as secure applications > > > >> > > go... > > > > >> > > Best regards, > > > > >> > > On Aug 23, 12:39 pm, Carlos Rodrigues <[email protected]> > > > >> > > wrote: > > > >> > >> Hi all, > > > > >> > >> I'm developing a small application on GAE that requires HTTPs, > > > >> > >> however > > > >> > >> I'm having some trouble with the "*.appspot.com" certificate. > > > > >> > >> O Chrome, Safari and IE on Windows I get a certificate validation > > > >> > >> error. This error appears to be related to the certificate > > > >> > >> validation > > > >> > >> path, because the topmost authority is "Google Internet > > > >> > >> Authority" and > > > >> > >> show as "Not found". > > > > >> > >> On Firefox there is no error, and the certificate chain correctly > > > >> > >> shows Equifax as the root CA and "Google Internet Authority" as an > > > >> > >> intermediate CA. > > > > >> > >> On the Mac both Firefox and Safari work without showing any > > > >> > >> errors. > > > > >> > >> Is there a way around this? I can't expect users to trust the > > > >> > >> application if they get a certificate error on Windows in every > > > >> > >> browser except Firefox. > > > > >> > >> So a summary of tested browsers: > > > > >> > >> * Internet Explorer 8 (Windows): error > > > >> > >> * Safari (Windows): error > > > >> > >> * Safari (OS X): OK > > > >> > >> * Chrome (Windows): error > > > >> > >> * Firefox (Windows): OK > > > >> > >> * Firefox (OS X): OK > > > > >> > >> It appears that browsers which use the integrated certificate > > > >> > >> infrastructure on Windows are affected, and others are not. > > > > >> > >> I know that Windows supports intermediate CAs because I've tested > > > >> > >> it. > > > >> > >> But it seems to require that the website itself provides the > > > >> > >> intermediate CAs certificate (for example, on Apache this would > > > >> > >> be the > > > >> > >> "SSLCertificateChainFile /path/to/intermediate-ca.crt" option). > > > > >> > >> Google App Engine does not appear to do this. > > > > >> > >> Best regards, > > > >> > >> Carlos Rodrigues > > > > >> > > -- > > > >> > > You received this message because you are subscribed to the Google > > > >> > > Groups "Google App Engine" group. > > > >> > > To post to this group, send email to > > > >> > > [email protected]. > > > >> > > To unsubscribe from this group, send email to > > > >> > > [email protected]. > > > >> > > For more options, visit this group > > > >> > > athttp://groups.google.com/group/google-appengine?hl=en. > > > > > -- > > > > You received this message because you are subscribed to the Google > > > > Groups "Google App Engine" group. > > > > To post to this group, send email to [email protected]. > > > > To unsubscribe from this group, send email to > > > > [email protected]. > > > > For more options, visit this group > > > > athttp://groups.google.com/group/google-appengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
