On Tuesday 26 Apr 2011 13:29:00 James Chase wrote: > Someone suggested it would be helpful to post the chain file and the site's > public certificate to the list. If it is helpful, here is the site cert > (and below that their supplied chain file) > > -----BEGIN CERTIFICATE----- <snip> > -----END CERTIFICATE-----
Piping that site cert through "openssl x509 -noout -issuer" gives... issuer= /C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA > And the chain file > > -----BEGIN CERTIFICATE----- <snip> > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- <snip> > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- <snip> > -----END CERTIFICATE----- Piping that last CA cert through "openssl x509 -noout -subject" gives... subject= /C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA You've got the wrong chain file. I understand that NetSol switched to a new EV Issuing CA a few months ago. Are you definitely using the chain file that they supplied with your latest site cert? > On Tue, Apr 26, 2011 at 8:19 AM, James Chase <chase1...@gmail.com> wrote: > > Well my results are quite different, and I guess point to my p12 not > > being correctly created. Strangely, the p12 I am running this test on > > works in production and doesn't produce a warning (I re-created last > > years certificate as a new p12 using the same process I am trying with > > this years). > > > > I also tried running this on my test apache site, where I am just using > > the plain old certificate, key and network solutions supplied chain file > > -- and the openssl s_client command returns better output but I still > > get a warning! > > > > [me@myserver ~]$ openssl s_client -connect www.example.com:443 > > CONNECTED(00000003) > > depth=0 /serialNumber=03-11- > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A > > Company International Ltd > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 /serialNumber=03-11- > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A > > Company International Ltd > > verify error:num=27:certificate not trusted > > verify return:1 > > depth=0 /serialNumber=03-11- > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A > > Company International Ltd > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > --- > > Certificate chain > > > > 0 s:/serialNumber=03-11- > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A > > Company International Ltd/OU=Book > > > > Sales/OU=Secure Link EV SSL/CN=www.example.com > > > > i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA > > > > --- > > > > On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling <rob.stradl...@comodo.com>wrote: > >> On Monday 25 Apr 2011 20:07:03 James Chase wrote: > >> > I simplified the issue a bit in order to try and understand what is > >> > >> going > >> > >> > on here and found that the SSL certificate that Network Solutions is > >> > providing, along with the intermediate chain file cannot be verified > >> > by newer installs of Firefox. > >> > >> Hi James. That seems unlikely. Try browsing to NetSol's own EV site > >> (https://www.networksolutions.com) in FF4. I see the EV green bar and > >> no browser warnings. > >> > >> Could you post the top part of the output from "openssl s_client > >> -connect yourdomain:yourport" ? > >> > >> Then we can compare it with... > >> > >> $ openssl s_client -connect www.networksolutions.com:443 > >> CONNECTED(00000003) > >> depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN > >> = AddTrust External CA Root > >> verify error:num=19:self signed certificate in certificate chain > >> verify return:0 > >> --- > >> Certificate chain > >> > >> 0 > >> > >> s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2 > >> .1.2=Delaware/businessCategory=Private > >> Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, > >> LLC/OU=Technology Services/OU=Secure Link EV > >> SSL/CN=www.networksolutions.com > >> > >> i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA > >> > >> 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA > >> > >> i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate > >> > >> Authority > >> > >> 2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate > >> > >> Authority > >> > >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > >> > >> External > >> CA Root > >> > >> 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > >> > >> External > >> CA Root > >> > >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > >> > >> External > >> CA Root > >> --- > >> > >> > It doesn't have anything to do with the p12 > >> > file I am creating (I loaded up the network solutions files in apache > >> > >> and > >> > >> > tested). > >> > > >> > Who would be at fault here? Am I still doing something wrong, or is > >> > this Mozilla's fault for not including a needed root ca file? It > >> > seems the missing link is the "AddTrustExternalCARoot" certificate. > >> > > >> > I tried adding the AddTrustExternalCARoot cert to the top of my > >> > >> certificate > >> > >> > chain, but this causes apache to break, and then not start complaining > >> > >> of > >> > >> > "[error] Failed to configure CA certificate chain!". I used a chain > >> > file that I have used in previous years, and that did allow apache to > >> > start > >> > >> but > >> > >> > I still cannot verify with Firefox. Then I tried using last years (and > >> > soon expiring) certificate for my site and that works FINE. So ... > >> > >> Network > >> > >> > Solutions screwed something up when issuing my certificate (this is > >> > the second one I have had re-issued) or am I doing something wrong. I > >> > have > >> > >> no > >> > >> > idea what that could be at this point -- I have never had so much > >> > >> trouble > >> > >> > with an SSL certificate and am not an expert by any means. > >> > > >> > Anyone have any thoughts? I called NS earlier in this process and they > >> > >> said > >> > >> > "not our problem" but perhaps I will try again. > >> > > >> > On Mon, Apr 25, 2011 at 11:01 AM, James Chase <chase1...@gmail.com> > >> > >> wrote: > >> > > I did run the verification, and didn't have an issue there. Still am > >> > >> not > >> > >> > > able to figure out how to correctly create this as the only way the > >> > >> p12 > >> > >> > > compiles is by dropping the "-chain" command but that creates ssl > >> > > verifications warnings in Firefox web browsers. > >> > > > >> > > openssl req -verify -in www.example.com.csr -key www.example.com.key > >> > > verify OK > >> > > -----BEGIN CERTIFICATE REQUEST----- > >> > > CERTIFICATE DATA HERE > >> > > -----END CERTIFICATE REQUEST----- > >> > > > >> > > On Sat, Apr 23, 2011 at 4:41 PM, James Chase <chase1...@gmail.com> > >> > >> wrote: > >> > >> I am using the same system -- I have tried with last years chain > >> > >> file > >> > >> as > >> > >> > >> well. The only thing that would be different to my knowledge are > >> > >> possibly the version of openssl and the renewed crt file if it > >> > >> possibly > >> > >> > >> requires new CA's (I did use their most current certificates before > >> > >> I tried using my old cafile). > >> > >> > >> > >> openssl verify never returns, I'm not sure what the syntax I am > >> > >> shooting > >> > >> > >> for there is. > >> > >> > >> > >> When i try without using the "-chain" command then it compiles the > >> > >> p12 > >> > >> > >> and it does seem to load in Chrome and IE ,but in FF3 I get: > >> > >> > >> > >> secure.example.com uses an invalid security certificate. > >> > >> > >> > >> The certificate is not trusted because the issuer certificate is > >> > >> unknown. > >> > >> > >> > >> (Error code: sec_error_unknown_issuer) > >> > >> > >> > >> And in FF4 I get: > >> > >> > >> > >> store.innertraditions.com uses an invalid security certificate. > >> > >> > >> > >> The certificate is not trusted because no issuer chain was > >> > >> provided. > >> > >> > >> > >> (Error code: sec_error_unknown_issuer) > >> > >> > >> > >> > >> > >> I have always used the -chain and -CAfile options together when > >> > >> creating > >> > >> > >> p12's. > >> > >> > >> > >> On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal <crypto....@gmail.com > >> > > >> >wrote: > >> > >>> On 04/21/2011 06:51 PM, James Chase wrote: > >> > >>> I have done this multiple years in a row with the exact same > >> > >>> process but now I get the following error when I try to create my > >> > >>> SSL: > >> > >>> > >> > >>> openssl pkcs12 -export -chain -CAfile cachain.crt -out > >> > >>> my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt > >> > >>> Error unable to get local issuer certificate getting chain. > >> > >>> > >> > >>> I concatenated all the intermediate files in the order they > >> > >>> suggest, and according to the process I have documented that has > >> > >>> worked the past few years. I also downloaded the pre-built chain > >> > >>> file where > >> > >> they > >> > >> > >>> already concatenated the needed files together but I get the same > >> > >>> error. I also tried the same chain file I used last year -- same > >> > >>> results. Googling is not helping me understand this error. Anyone > >> > >> know > >> > >> > >>> what could be going on here with the EV SSL creation for Network > >> > >>> Solutions? > >> > >>> > >> > >>> > >> > >>> -- > >> > >>> "Beware of all enterprises that require new clothes." > >> > >>> > >> > >>> -- Henry David Thoreau > >> > >>> > >> > >>> James, > >> > >>> > >> > >>> You don't need to include the -chain' option since you are > >> > >>> providing the chain with the '-CAfile' option. '-chain' is if you > >> > >>> want OpenSSL to build the chain for you. > >> > >>> > >> > >>> --Crypto.Sal > >> > >> > >> > >> -- > >> > >> "Beware of all enterprises that require new clothes." > >> > >> > >> > >> -- Henry David Thoreau > >> > > > >> > > -- > >> > > "Beware of all enterprises that require new clothes." > >> > > > >> > > -- Henry David Thoreau > >> > >> Rob Stradling > >> Senior Research & Development Scientist > >> COMODO - Creating Trust Online > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > > > -- > > "Beware of all enterprises that require new clothes." > > > > -- Henry David Thoreau Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
