So do you have a test site that actually shows the problem that I can reproduce? ca-certificates does not included intermediate certificates. The server should provide clients any intermediates that need to chain up to the root. This is SSL normal daily business. The root CAs come from Mozilla and one root certificate from SPI - if there is something missing from the Mozilla certificate bundle, then this request would need to go to Mozilla.
Michael On Sun, Sep 28, 2014 at 5:24 AM, Emerick 'mz' Mounoury <emer...@gandi.net> wrote: > On 09/28/2014 02:09 AM, Michael Shuler wrote: > > On 09/25/2014 04:14 AM, Emerick 'mz' Mounoury wrote: > > On 09/24/2014 09:25 PM, Michael Shuler wrote: > > Do you have a test SSL site URL on your system to see the full trust > chain? There are 4 AddTrust root CAs in ca-certificates, so I'd like > to see the trust path to better understand your problem. Thanks! > > > First, thank you for your prompt answer ! > > Yes, sure, you can test our service using this test URL : > https://simplehosting.mz23.in > > I check the SSL connection using openssl as is as we are using SNI : > > openssl s_client -connect simplehosting.mz23.in:443 -showcerts -CApath > /etc/ssl/certs -servername simplehosting.mz23.in > > > This appears to validate fine for me on the current version of > ca-certificates. Quick check attached. > > > Yes, because we integrated in our own-made ca-certificates package installed > on our SSL/X509 reverse proxy the cross-signed certificate (usertrust) > between our intermediate (gandi ssl ca 2) and the root ca (addtrust). > > -- > \o/ Emerick "mz" Mounoury > Gandi.net Domain name registrar.. > No Bullshit ™ Hosting for geeks... and more ! > > GPG : 76669398 - 079F 00DF 0FEA D0D2 1728 248E 0F15 B1F7 7666 9398 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
