Well my results are quite different, and I guess point to my p12 not being correctly created. Strangely, the p12 I am running this test on works in production and doesn't produce a warning (I re-created last years certificate as a new p12 using the same process I am trying with this years).
I also tried running this on my test apache site, where I am just using the plain old certificate, key and network solutions supplied chain file -- and the openssl s_client command returns better output but I still get a warning! [me@myserver ~]$ openssl s_client -connect www.example.com:443 CONNECTED(00000003) depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd/OU=Book Sales/OU=Secure Link EV SSL/CN=www.example.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA --- On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling <rob.stradl...@comodo.com>wrote: > On Monday 25 Apr 2011 20:07:03 James Chase wrote: > > I simplified the issue a bit in order to try and understand what is going > > on here and found that the SSL certificate that Network Solutions is > > providing, along with the intermediate chain file cannot be verified by > > newer installs of Firefox. > > Hi James. That seems unlikely. Try browsing to NetSol's own EV site > (https://www.networksolutions.com) in FF4. I see the EV green bar and no > browser warnings. > > Could you post the top part of the output from "openssl s_client -connect > yourdomain:yourport" ? > > Then we can compare it with... > > $ openssl s_client -connect www.networksolutions.com:443 > CONNECTED(00000003) > depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = > AddTrust External CA Root > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 > > s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private > Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, LLC/OU=Technology > Services/OU=Secure Link EV SSL/CN=www.networksolutions.com > i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA > 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA > i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate > Authority > 2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate > Authority > i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > External > CA Root > 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > External > CA Root > i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > External > CA Root > --- > > > It doesn't have anything to do with the p12 > > file I am creating (I loaded up the network solutions files in apache and > > tested). > > > > Who would be at fault here? Am I still doing something wrong, or is this > > Mozilla's fault for not including a needed root ca file? It seems the > > missing link is the "AddTrustExternalCARoot" certificate. > > > > I tried adding the AddTrustExternalCARoot cert to the top of my > certificate > > chain, but this causes apache to break, and then not start complaining of > > "[error] Failed to configure CA certificate chain!". I used a chain file > > that I have used in previous years, and that did allow apache to start > but > > I still cannot verify with Firefox. Then I tried using last years (and > > soon expiring) certificate for my site and that works FINE. So ... > Network > > Solutions screwed something up when issuing my certificate (this is the > > second one I have had re-issued) or am I doing something wrong. I have no > > idea what that could be at this point -- I have never had so much trouble > > with an SSL certificate and am not an expert by any means. > > > > Anyone have any thoughts? I called NS earlier in this process and they > said > > "not our problem" but perhaps I will try again. > > > > On Mon, Apr 25, 2011 at 11:01 AM, James Chase <chase1...@gmail.com> > wrote: > > > I did run the verification, and didn't have an issue there. Still am > not > > > able to figure out how to correctly create this as the only way the p12 > > > compiles is by dropping the "-chain" command but that creates ssl > > > verifications warnings in Firefox web browsers. > > > > > > openssl req -verify -in www.example.com.csr -key www.example.com.key > > > verify OK > > > -----BEGIN CERTIFICATE REQUEST----- > > > CERTIFICATE DATA HERE > > > -----END CERTIFICATE REQUEST----- > > > > > > On Sat, Apr 23, 2011 at 4:41 PM, James Chase <chase1...@gmail.com> > wrote: > > >> I am using the same system -- I have tried with last years chain file > as > > >> well. The only thing that would be different to my knowledge are > > >> possibly the version of openssl and the renewed crt file if it > possibly > > >> requires new CA's (I did use their most current certificates before I > > >> tried using my old cafile). > > >> > > >> openssl verify never returns, I'm not sure what the syntax I am > shooting > > >> for there is. > > >> > > >> When i try without using the "-chain" command then it compiles the p12 > > >> and it does seem to load in Chrome and IE ,but in FF3 I get: > > >> > > >> secure.example.com uses an invalid security certificate. > > >> > > >> The certificate is not trusted because the issuer certificate is > > >> unknown. > > >> > > >> (Error code: sec_error_unknown_issuer) > > >> > > >> And in FF4 I get: > > >> > > >> store.innertraditions.com uses an invalid security certificate. > > >> > > >> The certificate is not trusted because no issuer chain was provided. > > >> > > >> (Error code: sec_error_unknown_issuer) > > >> > > >> > > >> I have always used the -chain and -CAfile options together when > creating > > >> p12's. > > >> > > >> On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal <crypto....@gmail.com > >wrote: > > >>> On 04/21/2011 06:51 PM, James Chase wrote: > > >>> I have done this multiple years in a row with the exact same process > > >>> but now I get the following error when I try to create my SSL: > > >>> > > >>> openssl pkcs12 -export -chain -CAfile cachain.crt -out > > >>> my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt > > >>> Error unable to get local issuer certificate getting chain. > > >>> > > >>> I concatenated all the intermediate files in the order they suggest, > > >>> and according to the process I have documented that has worked the > > >>> past few years. I also downloaded the pre-built chain file where they > > >>> already concatenated the needed files together but I get the same > > >>> error. I also tried the same chain file I used last year -- same > > >>> results. Googling is not helping me understand this error. Anyone > know > > >>> what could be going on here with the EV SSL creation for Network > > >>> Solutions? > > >>> > > >>> > > >>> -- > > >>> "Beware of all enterprises that require new clothes." > > >>> > > >>> -- Henry David Thoreau > > >>> > > >>> James, > > >>> > > >>> You don't need to include the -chain' option since you are providing > > >>> the chain with the '-CAfile' option. '-chain' is if you want OpenSSL > > >>> to build the chain for you. > > >>> > > >>> --Crypto.Sal > > >> > > >> -- > > >> "Beware of all enterprises that require new clothes." > > >> > > >> -- Henry David Thoreau > > > > > > -- > > > "Beware of all enterprises that require new clothes." > > > > > > -- Henry David Thoreau > > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- "Beware of all enterprises that require new clothes." -- Henry David Thoreau
