On 15.03.2012 14:52, Rob Stradling wrote: > On 15/03/12 13:11, Florian Pritz wrote: >> Hi, >> >> When using lynx to access https://portfolio.iguw.tuwien.ac.at I got an >> ssl cert validation error. Since it worked fine in firefox/chromium I >> tried to use openssl directly and got the following, but I fail to >> understand what it means although I see that the chain looks strange >> (0->1 i:TERENA is replaced by s:COMODO) >> >> After a bit of googling I believe it's a problem on the server side, but >> my knowledge of SSL/X.509 is very limited so if you have any pointers, >> I'd be happy to hear them. > > >> $ openssl s_client -connect portfolio.iguw.tuwien.ac.at:443 > <snip> >>> Certificate chain >>> 0 s:/C=AT/ST=Vienna/L=Vienna/O=Vienna University of Technology/OU=E187 >>> Institute of Design and Assessment of >>> Technology/CN=portfolio.iguw.tuwien.ac.at >>> i:/C=NL/O=TERENA/CN=TERENA SSL CA >>> 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO >>> High-Assurance Secure Server CA >>> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust >>> External CA Root >>> 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust >>> External CA Root >>> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust >>> External CA Root > > Yes, it's a problem on the server side. Since the server appears to be > Apache, the server admin needs to fix it by simply reconfiguring > "SSLCertificateChainFile" to point to a file that contains just the > following 2 CA Certificates... >
I'll forward that to someone who can fix it. Thank you. -- Florian Pritz
signature.asc
Description: OpenPGP digital signature
