> > > You've got the wrong chain file. I understand that NetSol switched to a > new > EV Issuing CA a few months ago. Are you definitely using the chain file > that > they supplied with your latest site cert? >
I am using the chain file that they suggest downloading which already has the intermediate files concatenated into a file -- but apparently it is wrong. I checked the .crt file that they include with my site certificate and they are the same certs that are in the chain file they have precompiled. I can't believe how much time I have spent on this issue and could the root of the issue be that they are not packaging the right files with my new certificate? wtf Mounir, where did you get those certificates?? The only cert that you used that came with my certificate is the last one, AddTrustExternalCARoot -- the other two are NOT included and are not in NetSol's precompiled chain file. Your chain file works when I test with apache, and I have just created a p12 from those chain files and that works too! Halellujah. But seriously, how did you synthesize that chain file? And how would I be expected to create that on my own?? I spent an hour and a half on the phone with NetSol telling them their was something wrong with their files and they just kept saying it was my fault and they will bill me $120/hour to fix it. > > On Tue, Apr 26, 2011 at 8:19 AM, James Chase <chase1...@gmail.com> > wrote: > > > Well my results are quite different, and I guess point to my p12 not > > > being correctly created. Strangely, the p12 I am running this test on > > > works in production and doesn't produce a warning (I re-created last > > > years certificate as a new p12 using the same process I am trying with > > > this years). > > > > > > I also tried running this on my test apache site, where I am just using > > > the plain old certificate, key and network solutions supplied chain > file > > > -- and the openssl s_client command returns better output but I still > > > get a warning! > > > > > > [me@myserver ~]$ openssl s_client -connect www.example.com:443 > > > CONNECTED(00000003) > > > depth=0 /serialNumber=03-11- > > > > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause > > > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park > St/O=A > > > Company International Ltd > > > verify error:num=20:unable to get local issuer certificate > > > verify return:1 > > > depth=0 /serialNumber=03-11- > > > > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause > > > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park > St/O=A > > > Company International Ltd > > > verify error:num=27:certificate not trusted > > > verify return:1 > > > depth=0 /serialNumber=03-11- > > > > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause > > > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park > St/O=A > > > Company International Ltd > > > verify error:num=21:unable to verify the first certificate > > > verify return:1 > > > --- > > > Certificate chain > > > > > > 0 s:/serialNumber=03-11- > > > > > > > 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 > > > .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause > > > > > > 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park > St/O=A > > > Company International Ltd/OU=Book > > > > > > Sales/OU=Secure Link EV SSL/CN=www.example.com > > > > > > i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA > > > > > > --- > > > > > > On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling > <rob.stradl...@comodo.com>wrote: > > >> On Monday 25 Apr 2011 20:07:03 James Chase wrote: > > >> > I simplified the issue a bit in order to try and understand what is > > >> > > >> going > > >> > > >> > on here and found that the SSL certificate that Network Solutions is > > >> > providing, along with the intermediate chain file cannot be verified > > >> > by newer installs of Firefox. > > >> > > >> Hi James. That seems unlikely. Try browsing to NetSol's own EV site > > >> (https://www.networksolutions.com) in FF4. I see the EV green bar > and > > >> no browser warnings. > > >> > > >> Could you post the top part of the output from "openssl s_client > > >> -connect yourdomain:yourport" ? > > >> > > >> Then we can compare it with... > > >> > > >> $ openssl s_client -connect www.networksolutions.com:443 > > >> CONNECTED(00000003) > > >> depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, > CN > > >> = AddTrust External CA Root > > >> verify error:num=19:self signed certificate in certificate chain > > >> verify return:0 > > >> --- > > >> Certificate chain > > >> > > >> 0 > > >> > > >> > s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2 > > >> .1.2=Delaware/businessCategory=Private > > >> Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, > > >> LLC/OU=Technology Services/OU=Secure Link EV > > >> SSL/CN=www.networksolutions.com > > >> > > >> i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA > > >> > > >> 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server > CA > > >> > > >> i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate > > >> > > >> Authority > > >> > > >> 2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate > > >> > > >> Authority > > >> > > >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > > >> > > >> External > > >> CA Root > > >> > > >> 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > > >> > > >> External > > >> CA Root > > >> > > >> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust > > >> > > >> External > > >> CA Root > > >> --- > > >> > > >> > It doesn't have anything to do with the p12 > > >> > file I am creating (I loaded up the network solutions files in > apache > > >> > > >> and > > >> > > >> > tested). > > >> > > > >> > Who would be at fault here? Am I still doing something wrong, or is > > >> > this Mozilla's fault for not including a needed root ca file? It > > >> > seems the missing link is the "AddTrustExternalCARoot" certificate. > > >> > > > >> > I tried adding the AddTrustExternalCARoot cert to the top of my > > >> > > >> certificate > > >> > > >> > chain, but this causes apache to break, and then not start > complaining > > >> > > >> of > > >> > > >> > "[error] Failed to configure CA certificate chain!". I used a chain > > >> > file that I have used in previous years, and that did allow apache > to > > >> > start > > >> > > >> but > > >> > > >> > I still cannot verify with Firefox. Then I tried using last years > (and > > >> > soon expiring) certificate for my site and that works FINE. So ... > > >> > > >> Network > > >> > > >> > Solutions screwed something up when issuing my certificate (this is > > >> > the second one I have had re-issued) or am I doing something wrong. > I > > >> > have > > >> > > >> no > > >> > > >> > idea what that could be at this point -- I have never had so much > > >> > > >> trouble > > >> > > >> > with an SSL certificate and am not an expert by any means. > > >> > > > >> > Anyone have any thoughts? I called NS earlier in this process and > they > > >> > > >> said > > >> > > >> > "not our problem" but perhaps I will try again. > > >> > > > >> > On Mon, Apr 25, 2011 at 11:01 AM, James Chase <chase1...@gmail.com> > > >> > > >> wrote: > > >> > > I did run the verification, and didn't have an issue there. Still > am > > >> > > >> not > > >> > > >> > > able to figure out how to correctly create this as the only way > the > > >> > > >> p12 > > >> > > >> > > compiles is by dropping the "-chain" command but that creates ssl > > >> > > verifications warnings in Firefox web browsers. > > >> > > > > >> > > openssl req -verify -in www.example.com.csr -key > www.example.com.key > > >> > > verify OK > > >> > > -----BEGIN CERTIFICATE REQUEST----- > > >> > > CERTIFICATE DATA HERE > > >> > > -----END CERTIFICATE REQUEST----- > > >> > > > > >> > > On Sat, Apr 23, 2011 at 4:41 PM, James Chase <chase1...@gmail.com > > > > >> > > >> wrote: > > >> > >> I am using the same system -- I have tried with last years chain > > >> > >> file > > >> > > >> as > > >> > > >> > >> well. The only thing that would be different to my knowledge are > > >> > >> possibly the version of openssl and the renewed crt file if it > > >> > > >> possibly > > >> > > >> > >> requires new CA's (I did use their most current certificates > before > > >> > >> I tried using my old cafile). > > >> > >> > > >> > >> openssl verify never returns, I'm not sure what the syntax I am > > >> > > >> shooting > > >> > > >> > >> for there is. > > >> > >> > > >> > >> When i try without using the "-chain" command then it compiles > the > > >> > > >> p12 > > >> > > >> > >> and it does seem to load in Chrome and IE ,but in FF3 I get: > > >> > >> > > >> > >> secure.example.com uses an invalid security certificate. > > >> > >> > > >> > >> The certificate is not trusted because the issuer certificate is > > >> > >> unknown. > > >> > >> > > >> > >> (Error code: sec_error_unknown_issuer) > > >> > >> > > >> > >> And in FF4 I get: > > >> > >> > > >> > >> store.innertraditions.com uses an invalid security certificate. > > >> > >> > > >> > >> The certificate is not trusted because no issuer chain was > > >> > >> provided. > > >> > >> > > >> > >> (Error code: sec_error_unknown_issuer) > > >> > >> > > >> > >> > > >> > >> I have always used the -chain and -CAfile options together when > > >> > > >> creating > > >> > > >> > >> p12's. > > >> > >> > > >> > >> On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal < > crypto....@gmail.com > > >> > > > >> >wrote: > > >> > >>> On 04/21/2011 06:51 PM, James Chase wrote: > > >> > >>> I have done this multiple years in a row with the exact same > > >> > >>> process but now I get the following error when I try to create > my > > >> > >>> SSL: > > >> > >>> > > >> > >>> openssl pkcs12 -export -chain -CAfile cachain.crt -out > > >> > >>> my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt > > >> > >>> Error unable to get local issuer certificate getting chain. > > >> > >>> > > >> > >>> I concatenated all the intermediate files in the order they > > >> > >>> suggest, and according to the process I have documented that has > > >> > >>> worked the past few years. I also downloaded the pre-built chain > > >> > >>> file where > > >> > > >> they > > >> > > >> > >>> already concatenated the needed files together but I get the > same > > >> > >>> error. I also tried the same chain file I used last year -- same > > >> > >>> results. Googling is not helping me understand this error. > Anyone > > >> > > >> know > > >> > > >> > >>> what could be going on here with the EV SSL creation for Network > > >> > >>> Solutions? > > >> > >>> > > >> > >>> > > >> > >>> -- > > >> > >>> "Beware of all enterprises that require new clothes." > > >> > >>> > > >> > >>> -- Henry David Thoreau > > >> > >>> > > >> > >>> James, > > >> > >>> > > >> > >>> You don't need to include the -chain' option since you are > > >> > >>> providing the chain with the '-CAfile' option. '-chain' is if > you > > >> > >>> want OpenSSL to build the chain for you. > > >> > >>> > > >> > >>> --Crypto.Sal > > >> > >> > > >> > >> -- > > >> > >> "Beware of all enterprises that require new clothes." > > >> > >> > > >> > >> -- Henry David Thoreau > > >> > > > > >> > > -- > > >> > > "Beware of all enterprises that require new clothes." > > >> > > > > >> > > -- Henry David Thoreau > > >> > > >> Rob Stradling > > >> Senior Research & Development Scientist > > >> COMODO - Creating Trust Online > > >> ______________________________________________________________________ > > >> OpenSSL Project > http://www.openssl.org > > >> User Support Mailing List > openssl-users@openssl.org > > >> Automated List Manager > majord...@openssl.org > > > > > > -- > > > "Beware of all enterprises that require new clothes." > > > > > > -- Henry David Thoreau > > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- "Beware of all enterprises that require new clothes." -- Henry David Thoreau
