On Monday 25 Apr 2011 20:07:03 James Chase wrote: > I simplified the issue a bit in order to try and understand what is going > on here and found that the SSL certificate that Network Solutions is > providing, along with the intermediate chain file cannot be verified by > newer installs of Firefox.
Hi James. That seems unlikely. Try browsing to NetSol's own EV site (https://www.networksolutions.com) in FF4. I see the EV green bar and no browser warnings. Could you post the top part of the output from "openssl s_client -connect yourdomain:yourport" ? Then we can compare it with... $ openssl s_client -connect www.networksolutions.com:443 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, LLC/OU=Technology Services/OU=Secure Link EV SSL/CN=www.networksolutions.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority 2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- > It doesn't have anything to do with the p12 > file I am creating (I loaded up the network solutions files in apache and > tested). > > Who would be at fault here? Am I still doing something wrong, or is this > Mozilla's fault for not including a needed root ca file? It seems the > missing link is the "AddTrustExternalCARoot" certificate. > > I tried adding the AddTrustExternalCARoot cert to the top of my certificate > chain, but this causes apache to break, and then not start complaining of > "[error] Failed to configure CA certificate chain!". I used a chain file > that I have used in previous years, and that did allow apache to start but > I still cannot verify with Firefox. Then I tried using last years (and > soon expiring) certificate for my site and that works FINE. So ... Network > Solutions screwed something up when issuing my certificate (this is the > second one I have had re-issued) or am I doing something wrong. I have no > idea what that could be at this point -- I have never had so much trouble > with an SSL certificate and am not an expert by any means. > > Anyone have any thoughts? I called NS earlier in this process and they said > "not our problem" but perhaps I will try again. > > On Mon, Apr 25, 2011 at 11:01 AM, James Chase <chase1...@gmail.com> wrote: > > I did run the verification, and didn't have an issue there. Still am not > > able to figure out how to correctly create this as the only way the p12 > > compiles is by dropping the "-chain" command but that creates ssl > > verifications warnings in Firefox web browsers. > > > > openssl req -verify -in www.example.com.csr -key www.example.com.key > > verify OK > > -----BEGIN CERTIFICATE REQUEST----- > > CERTIFICATE DATA HERE > > -----END CERTIFICATE REQUEST----- > > > > On Sat, Apr 23, 2011 at 4:41 PM, James Chase <chase1...@gmail.com> wrote: > >> I am using the same system -- I have tried with last years chain file as > >> well. The only thing that would be different to my knowledge are > >> possibly the version of openssl and the renewed crt file if it possibly > >> requires new CA's (I did use their most current certificates before I > >> tried using my old cafile). > >> > >> openssl verify never returns, I'm not sure what the syntax I am shooting > >> for there is. > >> > >> When i try without using the "-chain" command then it compiles the p12 > >> and it does seem to load in Chrome and IE ,but in FF3 I get: > >> > >> secure.example.com uses an invalid security certificate. > >> > >> The certificate is not trusted because the issuer certificate is > >> unknown. > >> > >> (Error code: sec_error_unknown_issuer) > >> > >> And in FF4 I get: > >> > >> store.innertraditions.com uses an invalid security certificate. > >> > >> The certificate is not trusted because no issuer chain was provided. > >> > >> (Error code: sec_error_unknown_issuer) > >> > >> > >> I have always used the -chain and -CAfile options together when creating > >> p12's. > >> > >> On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal <crypto....@gmail.com>wrote: > >>> On 04/21/2011 06:51 PM, James Chase wrote: > >>> I have done this multiple years in a row with the exact same process > >>> but now I get the following error when I try to create my SSL: > >>> > >>> openssl pkcs12 -export -chain -CAfile cachain.crt -out > >>> my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt > >>> Error unable to get local issuer certificate getting chain. > >>> > >>> I concatenated all the intermediate files in the order they suggest, > >>> and according to the process I have documented that has worked the > >>> past few years. I also downloaded the pre-built chain file where they > >>> already concatenated the needed files together but I get the same > >>> error. I also tried the same chain file I used last year -- same > >>> results. Googling is not helping me understand this error. Anyone know > >>> what could be going on here with the EV SSL creation for Network > >>> Solutions? > >>> > >>> > >>> -- > >>> "Beware of all enterprises that require new clothes." > >>> > >>> -- Henry David Thoreau > >>> > >>> James, > >>> > >>> You don't need to include the -chain' option since you are providing > >>> the chain with the '-CAfile' option. '-chain' is if you want OpenSSL > >>> to build the chain for you. > >>> > >>> --Crypto.Sal > >> > >> -- > >> "Beware of all enterprises that require new clothes." > >> > >> -- Henry David Thoreau > > > > -- > > "Beware of all enterprises that require new clothes." > > > > -- Henry David Thoreau Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org