I simplified the issue a bit in order to try and understand what is going on here and found that the SSL certificate that Network Solutions is providing, along with the intermediate chain file cannot be verified by newer installs of Firefox. It doesn't have anything to do with the p12 file I am creating (I loaded up the network solutions files in apache and tested).
Who would be at fault here? Am I still doing something wrong, or is this Mozilla's fault for not including a needed root ca file? It seems the missing link is the "AddTrustExternalCARoot" certificate. I tried adding the AddTrustExternalCARoot cert to the top of my certificate chain, but this causes apache to break, and then not start complaining of "[error] Failed to configure CA certificate chain!". I used a chain file that I have used in previous years, and that did allow apache to start but I still cannot verify with Firefox. Then I tried using last years (and soon expiring) certificate for my site and that works FINE. So ... Network Solutions screwed something up when issuing my certificate (this is the second one I have had re-issued) or am I doing something wrong. I have no idea what that could be at this point -- I have never had so much trouble with an SSL certificate and am not an expert by any means. Anyone have any thoughts? I called NS earlier in this process and they said "not our problem" but perhaps I will try again. On Mon, Apr 25, 2011 at 11:01 AM, James Chase <chase1...@gmail.com> wrote: > I did run the verification, and didn't have an issue there. Still am not > able to figure out how to correctly create this as the only way the p12 > compiles is by dropping the "-chain" command but that creates ssl > verifications warnings in Firefox web browsers. > > openssl req -verify -in www.example.com.csr -key www.example.com.key > verify OK > -----BEGIN CERTIFICATE REQUEST----- > CERTIFICATE DATA HERE > -----END CERTIFICATE REQUEST----- > > On Sat, Apr 23, 2011 at 4:41 PM, James Chase <chase1...@gmail.com> wrote: > >> I am using the same system -- I have tried with last years chain file as >> well. The only thing that would be different to my knowledge are possibly >> the version of openssl and the renewed crt file if it possibly requires new >> CA's (I did use their most current certificates before I tried using my old >> cafile). >> >> openssl verify never returns, I'm not sure what the syntax I am shooting >> for there is. >> >> When i try without using the "-chain" command then it compiles the p12 and >> it does seem to load in Chrome and IE ,but in FF3 I get: >> >> secure.example.com uses an invalid security certificate. >> >> The certificate is not trusted because the issuer certificate is unknown. >> >> (Error code: sec_error_unknown_issuer) >> >> And in FF4 I get: >> >> store.innertraditions.com uses an invalid security certificate. >> >> The certificate is not trusted because no issuer chain was provided. >> >> (Error code: sec_error_unknown_issuer) >> >> >> I have always used the -chain and -CAfile options together when creating >> p12's. >> >> On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal <crypto....@gmail.com>wrote: >> >>> On 04/21/2011 06:51 PM, James Chase wrote: >>> >>> I have done this multiple years in a row with the exact same process but >>> now I get the following error when I try to create my SSL: >>> >>> openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 >>> -inkey my.domain.com.key -in MY.DOMAIN.COM.crt >>> Error unable to get local issuer certificate getting chain. >>> >>> I concatenated all the intermediate files in the order they suggest, and >>> according to the process I have documented that has worked the past few >>> years. I also downloaded the pre-built chain file where they already >>> concatenated the needed files together but I get the same error. I also >>> tried the same chain file I used last year -- same results. Googling is not >>> helping me understand this error. Anyone know what could be going on here >>> with the EV SSL creation for Network Solutions? >>> >>> >>> -- >>> "Beware of all enterprises that require new clothes." >>> -- Henry David Thoreau >>> >>> >>> >>> James, >>> >>> You don't need to include the -chain' option since you are providing the >>> chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build >>> the chain for you. >>> >>> --Crypto.Sal >>> >> >> >> >> -- >> "Beware of all enterprises that require new clothes." >> -- Henry David Thoreau >> > > > > -- > "Beware of all enterprises that require new clothes." > -- Henry David Thoreau > -- "Beware of all enterprises that require new clothes." -- Henry David Thoreau
