Hi James,
I got the the correct certificate chain from my Windows 7 box. Microsoft
tends to update its trusted CA certificates store more quickly and
regularly than Mozilla or Linux distros: the latest update was last
month on March 23rd 2011.
It is sad that even Network Solutions guys are not aware of this
update...This issue should not have existed at the first place!
Good luck,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 4/26/2011 7:07 PM, James Chase wrote:
You've got the wrong chain file. I understand that NetSol
switched to a new
EV Issuing CA a few months ago. Are you definitely using the
chain file that
they supplied with your latest site cert?
I am using the chain file that they suggest downloading which already
has the intermediate files concatenated into a file -- but apparently
it is wrong. I checked the .crt file that they include with my site
certificate and they are the same certs that are in the chain file
they have precompiled. I can't believe how much time I have spent on
this issue and could the root of the issue be that they are not
packaging the right files with my new certificate? wtf
Mounir, where did you get those certificates?? The only cert that you
used that came with my certificate is the last one,
AddTrustExternalCARoot -- the other two are NOT included and are not
in NetSol's precompiled chain file. Your chain file works when I test
with apache, and I have just created a p12 from those chain files and
that works too! Halellujah.
But seriously, how did you synthesize that chain file? And how would I
be expected to create that on my own?? I spent an hour and a half on
the phone with NetSol telling them their was something wrong with
their files and they just kept saying it was my fault and they will
bill me $120/hour to fix it.
> On Tue, Apr 26, 2011 at 8:19 AM, James Chase
<chase1...@gmail.com <mailto:chase1...@gmail.com>> wrote:
> > Well my results are quite different, and I guess point to my
p12 not
> > being correctly created. Strangely, the p12 I am running this
test on
> > works in production and doesn't produce a warning (I
re-created last
> > years certificate as a new p12 using the same process I am
trying with
> > this years).
> >
> > I also tried running this on my test apache site, where I am
just using
> > the plain old certificate, key and network solutions supplied
chain file
> > -- and the openssl s_client command returns better output but
I still
> > get a warning!
> >
> > [me@myserver ~]$ openssl s_client -connect www.example.com:443
<http://www.example.com:443>
> > CONNECTED(00000003)
> > depth=0 /serialNumber=03-11-
> >
> >
1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1
> > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15
<http://2.5.4.15>=V1.0, Clause
> >
> > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One
Park St/O=A
> > Company International Ltd
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 /serialNumber=03-11-
> >
> >
1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1
> > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15
<http://2.5.4.15>=V1.0, Clause
> >
> > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One
Park St/O=A
> > Company International Ltd
> > verify error:num=27:certificate not trusted
> > verify return:1
> > depth=0 /serialNumber=03-11-
> >
> >
1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1
> > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15
<http://2.5.4.15>=V1.0, Clause
> >
> > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One
Park St/O=A
> > Company International Ltd
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > ---
> > Certificate chain
> >
> > 0 s:/serialNumber=03-11-
> >
> >
1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1
> > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15
<http://2.5.4.15>=V1.0, Clause
> >
> > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One
Park St/O=A
> > Company International Ltd/OU=Book
> >
> > Sales/OU=Secure Link EV SSL/CN=www.example.com
<http://www.example.com>
> >
> > i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV
SSL CA
> >
> > ---
> >
> > On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling
<rob.stradl...@comodo.com <mailto:rob.stradl...@comodo.com>>wrote:
> >> On Monday 25 Apr 2011 20:07:03 James Chase wrote:
> >> > I simplified the issue a bit in order to try and understand
what is
> >>
> >> going
> >>
> >> > on here and found that the SSL certificate that Network
Solutions is
> >> > providing, along with the intermediate chain file cannot be
verified
> >> > by newer installs of Firefox.
> >>
> >> Hi James. That seems unlikely. Try browsing to NetSol's own
EV site
> >> (https://www.networksolutions.com) in FF4. I see the EV
green bar and
> >> no browser warnings.
> >>
> >> Could you post the top part of the output from "openssl s_client
> >> -connect yourdomain:yourport" ?
> >>
> >> Then we can compare it with...
> >>
> >> $ openssl s_client -connect www.networksolutions.com:443
<http://www.networksolutions.com:443>
> >> CONNECTED(00000003)
> >> depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP
Network, CN
> >> = AddTrust External CA Root
> >> verify error:num=19:self signed certificate in certificate chain
> >> verify return:0
> >> ---
> >> Certificate chain
> >>
> >> 0
> >>
> >>
s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2
> >> .1.2=Delaware/businessCategory=Private
> >> Organization/C=US/ST=VA/L=Herndon/O=Network Solutions,
> >> LLC/OU=Technology Services/OU=Secure Link EV
> >> SSL/CN=www.networksolutions.com <http://www.networksolutions.com>
> >>
> >> i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV
Server CA
> >>
> >> 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV
Server CA
> >>
> >> i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions
Certificate
> >>
> >> Authority
> >>
> >> 2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions
Certificate
> >>
> >> Authority
> >>
> >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust
> >>
> >> External
> >> CA Root
> >>
> >> 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust
> >>
> >> External
> >> CA Root
> >>
> >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust
> >>
> >> External
> >> CA Root
> >> ---
> >>
> >> > It doesn't have anything to do with the p12
> >> > file I am creating (I loaded up the network solutions files
in apache
> >>
> >> and
> >>
> >> > tested).
> >> >
> >> > Who would be at fault here? Am I still doing something
wrong, or is
> >> > this Mozilla's fault for not including a needed root ca
file? It
> >> > seems the missing link is the "AddTrustExternalCARoot"
certificate.
> >> >
> >> > I tried adding the AddTrustExternalCARoot cert to the top of my
> >>
> >> certificate
> >>
> >> > chain, but this causes apache to break, and then not start
complaining
> >>
> >> of
> >>
> >> > "[error] Failed to configure CA certificate chain!". I used
a chain
> >> > file that I have used in previous years, and that did allow
apache to
> >> > start
> >>
> >> but
> >>
> >> > I still cannot verify with Firefox. Then I tried using last
years (and
> >> > soon expiring) certificate for my site and that works FINE.
So ...
> >>
> >> Network
> >>
> >> > Solutions screwed something up when issuing my certificate
(this is
> >> > the second one I have had re-issued) or am I doing
something wrong. I
> >> > have
> >>
> >> no
> >>
> >> > idea what that could be at this point -- I have never had
so much
> >>
> >> trouble
> >>
> >> > with an SSL certificate and am not an expert by any means.
> >> >
> >> > Anyone have any thoughts? I called NS earlier in this
process and they
> >>
> >> said
> >>
> >> > "not our problem" but perhaps I will try again.
> >> >
> >> > On Mon, Apr 25, 2011 at 11:01 AM, James Chase
<chase1...@gmail.com <mailto:chase1...@gmail.com>>
> >>
> >> wrote:
> >> > > I did run the verification, and didn't have an issue
there. Still am
> >>
> >> not
> >>
> >> > > able to figure out how to correctly create this as the
only way the
> >>
> >> p12
> >>
> >> > > compiles is by dropping the "-chain" command but that
creates ssl
> >> > > verifications warnings in Firefox web browsers.
> >> > >
> >> > > openssl req -verify -in www.example.com.csr -key
www.example.com.key
> >> > > verify OK
> >> > > -----BEGIN CERTIFICATE REQUEST-----
> >> > > CERTIFICATE DATA HERE
> >> > > -----END CERTIFICATE REQUEST-----
> >> > >
> >> > > On Sat, Apr 23, 2011 at 4:41 PM, James Chase
<chase1...@gmail.com <mailto:chase1...@gmail.com>>
> >>
> >> wrote:
> >> > >> I am using the same system -- I have tried with last
years chain
> >> > >> file
> >>
> >> as
> >>
> >> > >> well. The only thing that would be different to my
knowledge are
> >> > >> possibly the version of openssl and the renewed crt file
if it
> >>
> >> possibly
> >>
> >> > >> requires new CA's (I did use their most current
certificates before
> >> > >> I tried using my old cafile).
> >> > >>
> >> > >> openssl verify never returns, I'm not sure what the
syntax I am
> >>
> >> shooting
> >>
> >> > >> for there is.
> >> > >>
> >> > >> When i try without using the "-chain" command then it
compiles the
> >>
> >> p12
> >>
> >> > >> and it does seem to load in Chrome and IE ,but in FF3 I get:
> >> > >>
> >> > >> secure.example.com <http://secure.example.com> uses an
invalid security certificate.
> >> > >>
> >> > >> The certificate is not trusted because the issuer
certificate is
> >> > >> unknown.
> >> > >>
> >> > >> (Error code: sec_error_unknown_issuer)
> >> > >>
> >> > >> And in FF4 I get:
> >> > >>
> >> > >> store.innertraditions.com
<http://store.innertraditions.com> uses an invalid security
certificate.
> >> > >>
> >> > >> The certificate is not trusted because no issuer chain was
> >> > >> provided.
> >> > >>
> >> > >> (Error code: sec_error_unknown_issuer)
> >> > >>
> >> > >>
> >> > >> I have always used the -chain and -CAfile options
together when
> >>
> >> creating
> >>
> >> > >> p12's.
> >> > >>
> >> > >> On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal
<crypto....@gmail.com <mailto:crypto....@gmail.com>
> >> >
> >> >wrote:
> >> > >>> On 04/21/2011 06:51 PM, James Chase wrote:
> >> > >>> I have done this multiple years in a row with the exact
same
> >> > >>> process but now I get the following error when I try to
create my
> >> > >>> SSL:
> >> > >>>
> >> > >>> openssl pkcs12 -export -chain -CAfile cachain.crt -out
> >> > >>> my.domain.com.p12 -inkey my.domain.com.key -in
MY.DOMAIN.COM.crt
> >> > >>> Error unable to get local issuer certificate getting chain.
> >> > >>>
> >> > >>> I concatenated all the intermediate files in the order they
> >> > >>> suggest, and according to the process I have documented
that has
> >> > >>> worked the past few years. I also downloaded the
pre-built chain
> >> > >>> file where
> >>
> >> they
> >>
> >> > >>> already concatenated the needed files together but I
get the same
> >> > >>> error. I also tried the same chain file I used last
year -- same
> >> > >>> results. Googling is not helping me understand this
error. Anyone
> >>
> >> know
> >>
> >> > >>> what could be going on here with the EV SSL creation
for Network
> >> > >>> Solutions?
> >> > >>>
> >> > >>>
> >> > >>> --
> >> > >>> "Beware of all enterprises that require new clothes."
> >> > >>>
> >> > >>> -- Henry David Thoreau
> >> > >>>
> >> > >>> James,
> >> > >>>
> >> > >>> You don't need to include the -chain' option since you are
> >> > >>> providing the chain with the '-CAfile' option. '-chain'
is if you
> >> > >>> want OpenSSL to build the chain for you.
> >> > >>>
> >> > >>> --Crypto.Sal
> >> > >>
> >> > >> --
> >> > >> "Beware of all enterprises that require new clothes."
> >> > >>
> >> > >> -- Henry David Thoreau
> >> > >
> >> > > --
> >> > > "Beware of all enterprises that require new clothes."
> >> > >
> >> > > -- Henry David Thoreau
> >>
> >> Rob Stradling
> >> Senior Research & Development Scientist
> >> COMODO - Creating Trust Online
> >>
______________________________________________________________________
> >> OpenSSL Project http://www.openssl.org
> >> User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
> >> Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
> >
> > --
> > "Beware of all enterprises that require new clothes."
> >
> > -- Henry David Thoreau
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
--
"Beware of all enterprises that require new clothes."
-- Henry David Thoreau
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
