On Tuesday 26 Apr 2011 19:35:48 Mounir IDRASSI wrote: > Hi James, > > I got the the correct certificate chain from my Windows 7 box. Microsoft > tends to update its trusted CA certificates store more quickly and > regularly than Mozilla or Linux distros: the latest update was last > month on March 23rd 2011. > It is sad that even Network Solutions guys are not aware of this > update...This issue should not have existed at the first place!
Mounir, I don't think Microsoft's March 23rd Auto Root Update is actually relevant here. It didn't change any Root Certificates that NetSol's cert chains use, AFAIK. Your Windows 7 box was able to build the chain because CryptoAPI chases AIA- >caIssuers URLs. Firefox doesn't do this. If it did, James wouldn't have noticed any problem in the first place. James, I see that your server is now sending the correct chain. A tip: you don't have to send the self-signed Root Certificate (Subject and Issuer = AddTrust External CA Root). Each client either already trusts it (in which case there's no point sending it) or it doesn't already trust it (in which case there's no point sending it, because sending it won't make it magically become trusted). > Good luck, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > On 4/26/2011 7:07 PM, James Chase wrote: > > You've got the wrong chain file. I understand that NetSol > > switched to a new > > EV Issuing CA a few months ago. Are you definitely using the > > chain file that > > they supplied with your latest site cert? > > > > I am using the chain file that they suggest downloading which already > > has the intermediate files concatenated into a file -- but apparently > > it is wrong. I checked the .crt file that they include with my site > > certificate and they are the same certs that are in the chain file > > they have precompiled. I can't believe how much time I have spent on > > this issue and could the root of the issue be that they are not > > packaging the right files with my new certificate? wtf > > > > Mounir, where did you get those certificates?? The only cert that you > > used that came with my certificate is the last one, > > AddTrustExternalCARoot -- the other two are NOT included and are not > > in NetSol's precompiled chain file. Your chain file works when I test > > with apache, and I have just created a p12 from those chain files and > > that works too! Halellujah. > > > > But seriously, how did you synthesize that chain file? And how would I > > be expected to create that on my own?? I spent an hour and a half on > > the phone with NetSol telling them their was something wrong with > > their files and they just kept saying it was my fault and they will > > bill me $120/hour to fix it. > > > > > On Tue, Apr 26, 2011 at 8:19 AM, James Chase > > > > <chase1...@gmail.com <mailto:chase1...@gmail.com>> wrote: > > > > Well my results are quite different, and I guess point to my > > > > p12 not > > > > > > being correctly created. Strangely, the p12 I am running this > > > > test on > > > > > > works in production and doesn't produce a warning (I > > > > re-created last > > > > > > years certificate as a new p12 using the same process I am > > > > trying with > > > > > > this years). > > > > > > > > I also tried running this on my test apache site, where I am > > > > just using > > > > > > the plain old certificate, key and network solutions supplied > > > > chain file > > > > > > -- and the openssl s_client command returns better output but > > > > I still > > > > > > get a warning! > > > > > > > > [me@myserver ~]$ openssl s_client -connect www.example.com:443 > > > > <http://www.example.com:443> > > > > > > CONNECTED(00000003) > > > > depth=0 /serialNumber=03-11- > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset > > ts/1 > > > > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 > > > > <http://2.5.4.15>=V1.0, Clause > > > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One > > > > Park St/O=A > > > > > > Company International Ltd > > > > verify error:num=20:unable to get local issuer certificate > > > > verify return:1 > > > > depth=0 /serialNumber=03-11- > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset > > ts/1 > > > > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 > > > > <http://2.5.4.15>=V1.0, Clause > > > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One > > > > Park St/O=A > > > > > > Company International Ltd > > > > verify error:num=27:certificate not trusted > > > > verify return:1 > > > > depth=0 /serialNumber=03-11- > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset > > ts/1 > > > > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 > > > > <http://2.5.4.15>=V1.0, Clause > > > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One > > > > Park St/O=A > > > > > > Company International Ltd > > > > verify error:num=21:unable to verify the first certificate > > > > verify return:1 > > > > --- > > > > Certificate chain > > > > > > > > 0 s:/serialNumber=03-11- > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset > > ts/1 > > > > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 > > > > <http://2.5.4.15>=V1.0, Clause > > > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One > > > > Park St/O=A > > > > > > Company International Ltd/OU=Book > > > > > > > > Sales/OU=Secure Link EV SSL/CN=www.example.com > > > > <http://www.example.com> > > > > > > i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV > > > > SSL CA > > > > > > --- > > > > > > > > On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling > > > > <rob.stradl...@comodo.com <mailto:rob.stradl...@comodo.com>>wrote: > > > >> On Monday 25 Apr 2011 20:07:03 James Chase wrote: > > > >> > I simplified the issue a bit in order to try and understand > > > > what is > > > > > >> going > > > >> > > > >> > on here and found that the SSL certificate that Network > > > > Solutions is > > > > > >> > providing, along with the intermediate chain file cannot be > > > > verified > > > > > >> > by newer installs of Firefox. > > > >> > > > >> Hi James. That seems unlikely. Try browsing to NetSol's own > > > > EV site > > > > > >> (https://www.networksolutions.com) in FF4. I see the EV > > > > green bar and > > > > > >> no browser warnings. > > > >> > > > >> Could you post the top part of the output from "openssl s_client > > > >> -connect yourdomain:yourport" ? > > > >> > > > >> Then we can compare it with... > > > >> > > > >> $ openssl s_client -connect www.networksolutions.com:443 > > > > <http://www.networksolutions.com:443> > > > > > >> CONNECTED(00000003) > > > >> depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP > > > > Network, CN > > > > > >> = AddTrust External CA Root > > > >> verify error:num=19:self signed certificate in certificate chain > > > >> verify return:0 > > > >> --- > > > >> Certificate chain > > > >> > > > >> 0 > > > > s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.6 > > 0.2 > > > > > >> .1.2=Delaware/businessCategory=Private > > > >> Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, > > > >> LLC/OU=Technology Services/OU=Secure Link EV > > > >> SSL/CN=www.networksolutions.com > > > >> <http://www.networksolutions.com> > > > >> > > > >> i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV > > > > Server CA > > > > > >> 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV > > > > Server CA > > > > > >> i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions > > > > Certificate > > > > > >> Authority > > > >> > > > >> 2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions > > > > Certificate > > > > > >> Authority > > > >> > > > >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP > > > > Network/CN=AddTrust > > > > > >> External > > > >> CA Root > > > >> > > > >> 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP > > > > Network/CN=AddTrust > > > > > >> External > > > >> CA Root > > > >> > > > >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP > > > > Network/CN=AddTrust > > > > > >> External > > > >> CA Root > > > >> --- > > > >> > > > >> > It doesn't have anything to do with the p12 > > > >> > file I am creating (I loaded up the network solutions files > > > > in apache > > > > > >> and > > > >> > > > >> > tested). > > > >> > > > > >> > Who would be at fault here? Am I still doing something > > > > wrong, or is > > > > > >> > this Mozilla's fault for not including a needed root ca > > > > file? It > > > > > >> > seems the missing link is the "AddTrustExternalCARoot" > > > > certificate. > > > > > >> > I tried adding the AddTrustExternalCARoot cert to the top of > > > >> > my > > > >> > > > >> certificate > > > >> > > > >> > chain, but this causes apache to break, and then not start > > > > complaining > > > > > >> of > > > >> > > > >> > "[error] Failed to configure CA certificate chain!". I used > > > > a chain > > > > > >> > file that I have used in previous years, and that did allow > > > > apache to > > > > > >> > start > > > >> > > > >> but > > > >> > > > >> > I still cannot verify with Firefox. Then I tried using last > > > > years (and > > > > > >> > soon expiring) certificate for my site and that works FINE. > > > > So ... > > > > > >> Network > > > >> > > > >> > Solutions screwed something up when issuing my certificate > > > > (this is > > > > > >> > the second one I have had re-issued) or am I doing > > > > something wrong. I > > > > > >> > have > > > >> > > > >> no > > > >> > > > >> > idea what that could be at this point -- I have never had > > > > so much > > > > > >> trouble > > > >> > > > >> > with an SSL certificate and am not an expert by any means. > > > >> > > > > >> > Anyone have any thoughts? I called NS earlier in this > > > > process and they > > > > > >> said > > > >> > > > >> > "not our problem" but perhaps I will try again. > > > >> > > > > >> > On Mon, Apr 25, 2011 at 11:01 AM, James Chase > > > > <chase1...@gmail.com <mailto:chase1...@gmail.com>> > > > > > >> wrote: > > > >> > > I did run the verification, and didn't have an issue > > > > there. Still am > > > > > >> not > > > >> > > > >> > > able to figure out how to correctly create this as the > > > > only way the > > > > > >> p12 > > > >> > > > >> > > compiles is by dropping the "-chain" command but that > > > > creates ssl > > > > > >> > > verifications warnings in Firefox web browsers. > > > >> > > > > > >> > > openssl req -verify -in www.example.com.csr -key > > > > www.example.com.key > > > > > >> > > verify OK > > > >> > > -----BEGIN CERTIFICATE REQUEST----- > > > >> > > CERTIFICATE DATA HERE > > > >> > > -----END CERTIFICATE REQUEST----- > > > >> > > > > > >> > > On Sat, Apr 23, 2011 at 4:41 PM, James Chase > > > > <chase1...@gmail.com <mailto:chase1...@gmail.com>> > > > > > >> wrote: > > > >> > >> I am using the same system -- I have tried with last > > > > years chain > > > > > >> > >> file > > > >> > > > >> as > > > >> > > > >> > >> well. The only thing that would be different to my > > > > knowledge are > > > > > >> > >> possibly the version of openssl and the renewed crt file > > > > if it > > > > > >> possibly > > > >> > > > >> > >> requires new CA's (I did use their most current > > > > certificates before > > > > > >> > >> I tried using my old cafile). > > > >> > >> > > > >> > >> openssl verify never returns, I'm not sure what the > > > > syntax I am > > > > > >> shooting > > > >> > > > >> > >> for there is. > > > >> > >> > > > >> > >> When i try without using the "-chain" command then it > > > > compiles the > > > > > >> p12 > > > >> > > > >> > >> and it does seem to load in Chrome and IE ,but in FF3 I > > > >> > >> get: > > > >> > >> > > > >> > >> secure.example.com <http://secure.example.com> uses an > > > > invalid security certificate. > > > > > >> > >> The certificate is not trusted because the issuer > > > > certificate is > > > > > >> > >> unknown. > > > >> > >> > > > >> > >> (Error code: sec_error_unknown_issuer) > > > >> > >> > > > >> > >> And in FF4 I get: > > > >> > >> > > > >> > >> store.innertraditions.com > > > > <http://store.innertraditions.com> uses an invalid security > > certificate. > > > > > >> > >> The certificate is not trusted because no issuer chain was > > > >> > >> provided. > > > >> > >> > > > >> > >> (Error code: sec_error_unknown_issuer) > > > >> > >> > > > >> > >> > > > >> > >> I have always used the -chain and -CAfile options > > > > together when > > > > > >> creating > > > >> > > > >> > >> p12's. > > > >> > >> > > > >> > >> On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal > > > > <crypto....@gmail.com <mailto:crypto....@gmail.com> > > > > > >> >wrote: > > > >> > >>> On 04/21/2011 06:51 PM, James Chase wrote: > > > >> > >>> I have done this multiple years in a row with the exact > > > > same > > > > > >> > >>> process but now I get the following error when I try to > > > > create my > > > > > >> > >>> SSL: > > > >> > >>> > > > >> > >>> openssl pkcs12 -export -chain -CAfile cachain.crt -out > > > >> > >>> my.domain.com.p12 -inkey my.domain.com.key -in > > > > MY.DOMAIN.COM.crt > > > > > >> > >>> Error unable to get local issuer certificate getting > > > >> > >>> chain. > > > >> > >>> > > > >> > >>> I concatenated all the intermediate files in the order > > > >> > >>> they suggest, and according to the process I have > > > >> > >>> documented > > > > that has > > > > > >> > >>> worked the past few years. I also downloaded the > > > > pre-built chain > > > > > >> > >>> file where > > > >> > > > >> they > > > >> > > > >> > >>> already concatenated the needed files together but I > > > > get the same > > > > > >> > >>> error. I also tried the same chain file I used last > > > > year -- same > > > > > >> > >>> results. Googling is not helping me understand this > > > > error. Anyone > > > > > >> know > > > >> > > > >> > >>> what could be going on here with the EV SSL creation > > > > for Network > > > > > >> > >>> Solutions? > > > >> > >>> > > > >> > >>> > > > >> > >>> -- > > > >> > >>> "Beware of all enterprises that require new clothes." > > > >> > >>> > > > >> > >>> -- Henry David Thoreau > > > >> > >>> > > > >> > >>> James, > > > >> > >>> > > > >> > >>> You don't need to include the -chain' option since you are > > > >> > >>> providing the chain with the '-CAfile' option. '-chain' > > > > is if you > > > > > >> > >>> want OpenSSL to build the chain for you. > > > >> > >>> > > > >> > >>> --Crypto.Sal > > > >> > >> > > > >> > >> -- > > > >> > >> "Beware of all enterprises that require new clothes." > > > >> > >> > > > >> > >> -- Henry David Thoreau > > > >> > > > > > >> > > -- > > > >> > > "Beware of all enterprises that require new clothes." > > > >> > > > > > >> > > -- Henry David Thoreau > > > >> > > > >> Rob Stradling > > > >> Senior Research & Development Scientist > > > >> COMODO - Creating Trust Online > > > > _____________________________________________________________________ > > _ > > > > > >> OpenSSL Project http://www.openssl.org > > > >> User Support Mailing List openssl-users@openssl.org > > > > <mailto:openssl-users@openssl.org> > > > > > >> Automated List Manager majord...@openssl.org > > > > <mailto:majord...@openssl.org> > > > > > > -- > > > > "Beware of all enterprises that require new clothes." > > > > > > > > -- Henry David Thoreau > > > > Rob Stradling > > Senior Research & Development Scientist > > COMODO - Creating Trust Online > > _____________________________________________________________________ > > _ OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > <mailto:openssl-users@openssl.org> > > Automated List Manager majord...@openssl.org > > <mailto:majord...@openssl.org> > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
