#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    5
    Rep Power
    0

    Apache SSL mirror problems!


    Hello All!

    My website (http://www.MDTech.us) now has a SSL VPS mirror! Everything is finally set up! But, when I tried opening the mirror (https://mirror2.MDTech.us) using Firefox 14.0.1, first, it said that it was just partially encrypted. Now, after I created a new profile, Firefox says that "The certificate is not trusted because no issuer chain was provided."! Here is the full message:



    Also, the web server is :
    Code:
    Apache/2.2.22 (Debian) Server at mirror2.mdtech.us Port 443
  2. #2
  3. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,301
    Rep Power
    7170
    first, it said that it was just partially encrypted
    This is a coding problem; it means you have some resource (image, css, javascript, etc.) on the page that is referenced over http instead of https. Do a view source on your page and search for "http://", I see many scripts and css files that are causing this issue for you.

    Now, after I created a new profile, Firefox says that "The certificate is not trusted because no issuer chain was provided."!
    This is probably an Apache configuration error. Did you install an intermediate CA bundle when you configured the certificate? If not, you will need to download this from the company you bought your certificate from and install it on the server. Note that I don't actually see this error when I visit your site, however that is likely because some other website has already installed the intermediate CA on my browser.
    Last edited by E-Oreo; August 22nd, 2012 at 09:41 PM.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    5
    Rep Power
    0
    Originally Posted by E-Oreo
    This is a coding problem; it means you have some resource (image, css, javascript, etc.) on the page that is referenced over http instead of https. Do a view source on your page and search for "http://", I see many scripts and css files that are causing this issue for you.


    This is probably an Apache configuration error. Did you install an intermediate CA bundle when you configured the certificate? If not, you will need to download this from the company you bought your certificate from and install it on the server. Note that I don't actually see this error when I visit your site, however that is likely because some other website has already installed the intermediate CA on my browser.
    I typed in the location of the *.key and *.pem files in the config files. Here is the *.PEM file:
    http://mdtfiles. 3owl. com/download. php?file=824ssl.pem
    (remove the extra spaces)

    And the *.crt (same as *.cer I think):
    http://mdtfiles. 3owl. com/download. php?file=150ssl.crt
    (remove the extra spaces)
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    5
    Rep Power
    0
    Please reply
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,301
    Rep Power
    7170
    Your download links don't work for me. However, in addition to the SSLCertificateFile and SSLCertificateKeyFile directives, you should also have one called SSLCACertificateFile that points to the CA bundle provided by your certificate signer.

    My guess is that the contents should look something like this:
    Code:
    -----BEGIN CERTIFICATE-----
    MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
    MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
    Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
    dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB
    jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
    IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
    YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
    IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE
    gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA
    pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv
    kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/
    ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5
    xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID
    AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
    VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul
    F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
    L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
    YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
    dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
    c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
    BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
    BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
    LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp
    tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen
    xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw
    xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X
    t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI
    RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi
    YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L
    WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN
    SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD
    wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L
    p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
    0q6Dp6jOW6c=
    -----END CERTIFICATE-----
    But again, contact your certificate signer to obtain the actual CA bundle.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    5
    Rep Power
    0
    Originally Posted by E-Oreo
    Your download links don't work for me. However, in addition to the SSLCertificateFile and SSLCertificateKeyFile directives, you should also have one called SSLCACertificateFile that points to the CA bundle provided by your certificate signer.

    My guess is that the contents should look something like this:
    Code:
    -----BEGIN CERTIFICATE-----
    MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
    MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
    Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
    dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0
    ...
    -----END CERTIFICATE-----
    But again, contact your certificate signer to obtain the actual CA bundle.
    I finally found it (actually 'them') 2 CA certificates.

    Here is their location: (first 2 files)
    http://www.startssl.com/certs/

    One is a x509 Certificate (DER) ca-bundle.crt file and the other is a x509 Certificate (PEM) ca-bundle.pem file. Which one should I use?
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    5
    Rep Power
    0
    Originally Posted by MDTech.us_MAN
    I finally found it (actually 'them') 2 CA certificates.

    Here is their location: (first 2 files)
    http://www.startssl.com/certs/

    One is a x509 Certificate (DER) ca-bundle.crt file and the other is a x509 Certificate (PEM) ca-bundle.pem file. Which one should I use?
    I tried both but when I tried ether, I get:
    Code:
    mirror2.mdtech.us uses an invalid security certificate.
    
    The certificate is not trusted because the issuer certificate is not trusted.
    
    (Error code: sec_error_untrusted_issuer)
    P.S. Is it possible to just use a simple PFX file in apache like I used in IIS?

IMN logo majestic logo threadwatch logo seochat tools logo