[google-appengine] *.appspot.com certificate chain in Chrome, Safari and IE
Hi all, I'm developing a small application on GAE that requires HTTPs, however I'm having some trouble with the "*.appspot.com" certificate. O Chrome, Safari and IE on Windows I get a certificate validation error. This error appears to be related to the certificate validation path, because the topmost authority is "Google Internet Authority" and show as "Not found". On Firefox there is no error, and the certificate chain correctly shows Equifax as the root CA and "Google Internet Authority" as an intermediate CA. On the Mac both Firefox and Safari work without showing any errors. Is there a way around this? I can't expect users to trust the application if they get a certificate error on Windows in every browser except Firefox. So a summary of tested browsers: * Internet Explorer 8 (Windows): error * Safari (Windows): error * Safari (OS X): OK * Chrome (Windows): error * Firefox (Windows): OK * Firefox (OS X): OK It appears that browsers which use the integrated certificate infrastructure on Windows are affected, and others are not. I know that Windows supports intermediate CAs because I've tested it. But it seems to require that the website itself provides the intermediate CAs certificate (for example, on Apache this would be the "SSLCertificateChainFile /path/to/intermediate-ca.crt" option). Google App Engine does not appear to do this. Best regards, Carlos Rodrigues -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
[google-appengine] Re: *.appspot.com certificate chain in Chrome, Safari and IE
Hi again, Any ideas? This is a show-stopper as far as secure applications go... Best regards, On Aug 23, 12:39 pm, Carlos Rodrigues wrote: > Hi all, > > I'm developing a small application on GAE that requires HTTPs, however > I'm having some trouble with the "*.appspot.com" certificate. > > O Chrome, Safari and IE on Windows I get a certificate validation > error. This error appears to be related to the certificate validation > path, because the topmost authority is "Google Internet Authority" and > show as "Not found". > > On Firefox there is no error, and the certificate chain correctly > shows Equifax as the root CA and "Google Internet Authority" as an > intermediate CA. > > On the Mac both Firefox and Safari work without showing any errors. > > Is there a way around this? I can't expect users to trust the > application if they get a certificate error on Windows in every > browser except Firefox. > > So a summary of tested browsers: > > * Internet Explorer 8 (Windows): error > * Safari (Windows): error > * Safari (OS X): OK > * Chrome (Windows): error > * Firefox (Windows): OK > * Firefox (OS X): OK > > It appears that browsers which use the integrated certificate > infrastructure on Windows are affected, and others are not. > > I know that Windows supports intermediate CAs because I've tested it. > But it seems to require that the website itself provides the > intermediate CAs certificate (for example, on Apache this would be the > "SSLCertificateChainFile /path/to/intermediate-ca.crt" option). > > Google App Engine does not appear to do this. > > Best regards, > Carlos Rodrigues -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
[google-appengine] Re: *.appspot.com certificate chain in Chrome, Safari and IE
Since the problem only happens with browsers that rely on Windows' certificate infrastructure, the version of Windows matters. I've tested with IE 8 on Windows 7 and Windows Server 2008 and the problem occurs; I've also tested with IE 7 on Windows XP and Windows Server 2003 and the problem does not occur; I did not test with Windows Vista. It seems that older versions of Windows follow the certificate chain (by downloading it from somewhere), while the more recent versions only follow it if the webserver itself provides the intermediate CA's certificate (as I said, I've tested with other sites that use intermediate CAs and they show no errors - because the intermediate CA's certificate is being provided by Apache using the option I mentioned before). Best regards, On Aug 25, 10:19 pm, Robert Kluin wrote: > I only get a certificate error if I go tohttps://test.xx.appspot.com. I do > not get errors going tohttps://xx.appspot.com. > > I tested with IE and Chrome and Windows. > > Robert > > On Wed, Aug 25, 2010 at 05:27, Carlos Rodrigues > wrote: > > Hi again, > > > Any ideas? This is a show-stopper as far as secure applications go... > > > Best regards, > > > On Aug 23, 12:39 pm, Carlos Rodrigues wrote: > >> Hi all, > > >> I'm developing a small application on GAE that requires HTTPs, however > >> I'm having some trouble with the "*.appspot.com" certificate. > > >> O Chrome, Safari and IE on Windows I get a certificate validation > >> error. This error appears to be related to the certificate validation > >> path, because the topmost authority is "Google Internet Authority" and > >> show as "Not found". > > >> On Firefox there is no error, and the certificate chain correctly > >> shows Equifax as the root CA and "Google Internet Authority" as an > >> intermediate CA. > > >> On the Mac both Firefox and Safari work without showing any errors. > > >> Is there a way around this? I can't expect users to trust the > >> application if they get a certificate error on Windows in every > >> browser except Firefox. > > >> So a summary of tested browsers: > > >> * Internet Explorer 8 (Windows): error > >> * Safari (Windows): error > >> * Safari (OS X): OK > >> * Chrome (Windows): error > >> * Firefox (Windows): OK > >> * Firefox (OS X): OK > > >> It appears that browsers which use the integrated certificate > >> infrastructure on Windows are affected, and others are not. > > >> I know that Windows supports intermediate CAs because I've tested it. > >> But it seems to require that the website itself provides the > >> intermediate CAs certificate (for example, on Apache this would be the > >> "SSLCertificateChainFile /path/to/intermediate-ca.crt" option). > > >> Google App Engine does not appear to do this. > > >> Best regards, > >> Carlos Rodrigues > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google App Engine" group. > > To post to this group, send email to google-appeng...@googlegroups.com. > > To unsubscribe from this group, send email to > > google-appengine+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
[google-appengine] Re: *.appspot.com certificate chain in Chrome, Safari and IE
BTW, this is not a problem exclusive to GAE. The certificate for "code.google.com" also seems to have changed recently and I just got a warning from TortoiseSVN that the new certificate cannot be validated because the certificate chain is incomplete. Best regards, On Aug 26, 3:42 pm, Carlos Rodrigues wrote: > Since the problem only happens with browsers that rely on Windows' > certificate infrastructure, the version of Windows matters. > > I've tested with IE 8 on Windows 7 and Windows Server 2008 and the > problem occurs; > I've also tested with IE 7 on Windows XP and Windows Server 2003 and > the problem does not occur; > > I did not test with Windows Vista. > > It seems that older versions of Windows follow the certificate chain > (by downloading it from somewhere), while the more recent versions > only follow it if the webserver itself provides the intermediate CA's > certificate (as I said, I've tested with other sites that use > intermediate CAs and they show no errors - because the intermediate > CA's certificate is being provided by Apache using the option I > mentioned before). > > Best regards, > > On Aug 25, 10:19 pm, Robert Kluin wrote: > > > I only get a certificate error if I go tohttps://test.xx.appspot.com. I do > > not get errors going tohttps://xx.appspot.com. > > > I tested with IE and Chrome and Windows. > > > Robert > > > On Wed, Aug 25, 2010 at 05:27, Carlos Rodrigues > > wrote: > > > Hi again, > > > > Any ideas? This is a show-stopper as far as secure applications go... > > > > Best regards, > > > > On Aug 23, 12:39 pm, Carlos Rodrigues wrote: > > >> Hi all, > > > >> I'm developing a small application on GAE that requires HTTPs, however > > >> I'm having some trouble with the "*.appspot.com" certificate. > > > >> O Chrome, Safari and IE on Windows I get a certificate validation > > >> error. This error appears to be related to the certificate validation > > >> path, because the topmost authority is "Google Internet Authority" and > > >> show as "Not found". > > > >> On Firefox there is no error, and the certificate chain correctly > > >> shows Equifax as the root CA and "Google Internet Authority" as an > > >> intermediate CA. > > > >> On the Mac both Firefox and Safari work without showing any errors. > > > >> Is there a way around this? I can't expect users to trust the > > >> application if they get a certificate error on Windows in every > > >> browser except Firefox. > > > >> So a summary of tested browsers: > > > >> * Internet Explorer 8 (Windows): error > > >> * Safari (Windows): error > > >> * Safari (OS X): OK > > >> * Chrome (Windows): error > > >> * Firefox (Windows): OK > > >> * Firefox (OS X): OK > > > >> It appears that browsers which use the integrated certificate > > >> infrastructure on Windows are affected, and others are not. > > > >> I know that Windows supports intermediate CAs because I've tested it. > > >> But it seems to require that the website itself provides the > > >> intermediate CAs certificate (for example, on Apache this would be the > > >> "SSLCertificateChainFile /path/to/intermediate-ca.crt" option). > > > >> Google App Engine does not appear to do this. > > > >> Best regards, > > >> Carlos Rodrigues > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "Google App Engine" group. > > > To post to this group, send email to google-appeng...@googlegroups.com. > > > To unsubscribe from this group, send email to > > > google-appengine+unsubscr...@googlegroups.com. > > > For more options, visit this group > > > athttp://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
[google-appengine] Re: *.appspot.com certificate chain in Chrome, Safari and IE
The Equifax certificate is there, but the problem is with the intermediate CA's certificate (Google's), which isn't found. If it works for you on Windows 7, maybe you have Google's CA certificate installed. This would certainly make the error go away, but we can't ask users to do this (because most won't). @James: This is not a limitation of wildcard certificates because it works on Firefox but also with all browsers I've tested on Windows XP and OS X (including Safari, which shows the error on Windows 7). Best regards, On Aug 27, 2:36 am, Matthew Blain wrote: > This works for me on Windows 7. It's possible that the root > certificates on your Windows machine are somehow missing the Equifax > Secure Certificate Authority root certificate (also sometimes listed > as GeoTrust)? Have you edited your list? I see a suggestion online to > also check Windows Updates to see if there's a certificate update, > though I believe this is not a recent CA. > > --Matthew > > On Aug 26, 10:45 am, Robert Kluin wrote: > > > Interesting. You are right, I probably checked using a XP vm not a Win 7 > > vm. > > > On Thu, Aug 26, 2010 at 10:44, Carlos Rodrigues > > wrote: > > > BTW, this is not a problem exclusive to GAE. The certificate for > > > "code.google.com" also seems to have changed recently and I just got a > > > warning from TortoiseSVN that the new certificate cannot be validated > > > because the certificate chain is incomplete. > > > > Best regards, > > > > On Aug 26, 3:42 pm, Carlos Rodrigues wrote: > > >> Since the problem only happens with browsers that rely on Windows' > > >> certificate infrastructure, the version of Windows matters. > > > >> I've tested with IE 8 on Windows 7 and Windows Server 2008 and the > > >> problem occurs; > > >> I've also tested with IE 7 on Windows XP and Windows Server 2003 and > > >> the problem does not occur; > > > >> I did not test with Windows Vista. > > > >> It seems that older versions of Windows follow the certificate chain > > >> (by downloading it from somewhere), while the more recent versions > > >> only follow it if the webserver itself provides the intermediate CA's > > >> certificate (as I said, I've tested with other sites that use > > >> intermediate CAs and they show no errors - because the intermediate > > >> CA's certificate is being provided by Apache using the option I > > >> mentioned before). > > > >> Best regards, > > > >> On Aug 25, 10:19 pm, Robert Kluin wrote: > > > >> > I only get a certificate error if I go tohttps://test.xx.appspot.com. > > >> > I do not get errors going tohttps://xx.appspot.com. > > > >> > I tested with IE and Chrome and Windows. > > > >> > Robert > > > >> > On Wed, Aug 25, 2010 at 05:27, Carlos Rodrigues > > >> > wrote: > > >> > > Hi again, > > > >> > > Any ideas? This is a show-stopper as far as secure applications go... > > > >> > > Best regards, > > > >> > > On Aug 23, 12:39 pm, Carlos Rodrigues wrote: > > >> > >> Hi all, > > > >> > >> I'm developing a small application on GAE that requires HTTPs, > > >> > >> however > > >> > >> I'm having some trouble with the "*.appspot.com" certificate. > > > >> > >> O Chrome, Safari and IE on Windows I get a certificate validation > > >> > >> error. This error appears to be related to the certificate > > >> > >> validation > > >> > >> path, because the topmost authority is "Google Internet Authority" > > >> > >> and > > >> > >> show as "Not found". > > > >> > >> On Firefox there is no error, and the certificate chain correctly > > >> > >> shows Equifax as the root CA and "Google Internet Authority" as an > > >> > >> intermediate CA. > > > >> > >> On the Mac both Firefox and Safari work without showing any errors. > > > >> > >> Is there a way around this? I can't expect users to trust the > > >> > >> application if they get a certificate error on Windows in every > > >> > >> browser except Firefox. > > > >> > >> So a summary of tested bro
[google-appengine] Re: *.appspot.com certificate chain in Chrome, Safari and IE
Sorry, you are right. The problem is that the Windows 7 certificate store does not have the Equifax root certificate out of the box (on Windows XP it does). The number of root certificates included with Windows 7 out of the box is actually quite low. The machines where I tested this and got an error (Windows 7 and 2008) are fully updated (including the root certificates update). However they are behind a proxy server, and maybe the root certificates update doesn't work over a proxy server. I manually installed the root certificates update again (http://www.microsoft.com/downloads/en/ confirmation.aspx? familyId=e4f9b573-66d7-4dda-95d5-26c7d0f6c652&displayLang=en) with the machine connected directly to the internet and it populated the certificate store with the missing root certificates. I guess this is still a problem, but only for users that do not update or that are behind HTTP proxy servers (corporate users, mostly). Best regards, On Aug 27, 10:13 am, Carlos Rodrigues wrote: > The Equifax certificate is there, but the problem is with the > intermediate CA's certificate (Google's), which isn't found. > > If it works for you on Windows 7, maybe you have Google's CA > certificate installed. This would certainly make the error go away, > but we can't ask users to do this (because most won't). > > @James: This is not a limitation of wildcard certificates because it > works on Firefox but also with all browsers I've tested on Windows XP > and OS X (including Safari, which shows the error on Windows 7). > > Best regards, > > On Aug 27, 2:36 am, Matthew Blain wrote: > > > This works for me on Windows 7. It's possible that the root > > certificates on your Windows machine are somehow missing the Equifax > > Secure Certificate Authority root certificate (also sometimes listed > > as GeoTrust)? Have you edited your list? I see a suggestion online to > > also check Windows Updates to see if there's a certificate update, > > though I believe this is not a recent CA. > > > --Matthew > > > On Aug 26, 10:45 am, Robert Kluin wrote: > > > > Interesting. You are right, I probably checked using a XP vm not a Win 7 > > > vm. > > > > On Thu, Aug 26, 2010 at 10:44, Carlos Rodrigues > > > wrote: > > > > BTW, this is not a problem exclusive to GAE. The certificate for > > > > "code.google.com" also seems to have changed recently and I just got a > > > > warning from TortoiseSVN that the new certificate cannot be validated > > > > because the certificate chain is incomplete. > > > > > Best regards, > > > > > On Aug 26, 3:42 pm, Carlos Rodrigues wrote: > > > >> Since the problem only happens with browsers that rely on Windows' > > > >> certificate infrastructure, the version of Windows matters. > > > > >> I've tested with IE 8 on Windows 7 and Windows Server 2008 and the > > > >> problem occurs; > > > >> I've also tested with IE 7 on Windows XP and Windows Server 2003 and > > > >> the problem does not occur; > > > > >> I did not test with Windows Vista. > > > > >> It seems that older versions of Windows follow the certificate chain > > > >> (by downloading it from somewhere), while the more recent versions > > > >> only follow it if the webserver itself provides the intermediate CA's > > > >> certificate (as I said, I've tested with other sites that use > > > >> intermediate CAs and they show no errors - because the intermediate > > > >> CA's certificate is being provided by Apache using the option I > > > >> mentioned before). > > > > >> Best regards, > > > > >> On Aug 25, 10:19 pm, Robert Kluin wrote: > > > > >> > I only get a certificate error if I go > > > >> > tohttps://test.xx.appspot.com. I do not get errors going > > > >> > tohttps://xx.appspot.com. > > > > >> > I tested with IE and Chrome and Windows. > > > > >> > Robert > > > > >> > On Wed, Aug 25, 2010 at 05:27, Carlos Rodrigues > > > >> > wrote: > > > >> > > Hi again, > > > > >> > > Any ideas? This is a show-stopper as far as secure applications > > > >> > > go... > > > > >> > > Best regards, > > > > >> > > On Aug 23, 12:39 pm, Carlos Rodrigues > > > >> > > wrote: > > > >> > >> Hi all,
