The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> System Administration
> Apache Development
|
Apache SSL mirror problems!
Discuss Apache SSL mirror problems! in the Apache Development forum on Dev Shed.
Apache SSL mirror problems! Apache Development forum discussing HTTP Server general topics, configuration, and modules. Apache is an open source web server that runs on multiple platforms.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
August 22nd, 2012, 09:08 PM
|
|
Registered User
|
|
Join Date: Aug 2012
Posts: 5
Time spent in forums: 1 h 11 m 15 sec
Reputation Power: 0
|
|
|
Apache SSL mirror problems!
Hello All! 
My website (http://www.MDTech.us) now has a SSL VPS mirror! Everything is finally set up! But, when I tried opening the mirror (https://mirror2.MDTech.us) using Firefox 14.0.1, first, it said that it was just partially encrypted. Now, after I created a new profile, Firefox says that "The certificate is not trusted because no issuer chain was provided."! Here is the full message:
Also, the web server is :
Code:
Apache/2.2.22 (Debian) Server at mirror2.mdtech.us Port 443
|
August 22nd, 2012, 09:38 PM
|
 |
Lost in code
|
|
|
|
Quote: | first, it said that it was just partially encrypted |
This is a coding problem; it means you have some resource (image, css, javascript, etc.) on the page that is referenced over http instead of https. Do a view source on your page and search for "http://", I see many scripts and css files that are causing this issue for you.
Quote: | Now, after I created a new profile, Firefox says that "The certificate is not trusted because no issuer chain was provided."! |
This is probably an Apache configuration error. Did you install an intermediate CA bundle when you configured the certificate? If not, you will need to download this from the company you bought your certificate from and install it on the server. Note that I don't actually see this error when I visit your site, however that is likely because some other website has already installed the intermediate CA on my browser.
Last edited by E-Oreo : August 22nd, 2012 at 09:41 PM.
|
August 22nd, 2012, 10:36 PM
|
|
Registered User
|
|
Join Date: Aug 2012
Posts: 5
Time spent in forums: 1 h 11 m 15 sec
Reputation Power: 0
|
|
Quote: | Originally Posted by E-Oreo This is a coding problem; it means you have some resource (image, css, javascript, etc.) on the page that is referenced over http instead of https. Do a view source on your page and search for "http://", I see many scripts and css files that are causing this issue for you.
This is probably an Apache configuration error. Did you install an intermediate CA bundle when you configured the certificate? If not, you will need to download this from the company you bought your certificate from and install it on the server. Note that I don't actually see this error when I visit your site, however that is likely because some other website has already installed the intermediate CA on my browser. |
I typed in the location of the *.key and *.pem files in the config files. Here is the *.PEM file:
http://mdtfiles. 3owl. com/download. php?file=824ssl.pem
(remove the extra spaces)
And the *.crt (same as *.cer I think):
http://mdtfiles. 3owl. com/download. php?file=150ssl.crt
(remove the extra spaces)
|
August 23rd, 2012, 09:53 PM
|
|
Registered User
|
|
Join Date: Aug 2012
Posts: 5
Time spent in forums: 1 h 11 m 15 sec
Reputation Power: 0
|
|
|
Please reply
|
August 24th, 2012, 12:26 AM
|
|
Lost in code
|
|
|
|
Your download links don't work for me. However, in addition to the SSLCertificateFile and SSLCertificateKeyFile directives, you should also have one called SSLCACertificateFile that points to the CA bundle provided by your certificate signer.
My guess is that the contents should look something like this:
Code:
-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE
gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA
pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv
kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/
ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5
xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID
AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul
F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp
tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen
xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw
xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X
t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI
RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi
YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L
WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN
SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD
wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L
p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
0q6Dp6jOW6c=
-----END CERTIFICATE-----
But again, contact your certificate signer to obtain the actual CA bundle.
|
August 25th, 2012, 09:18 AM
|
|
Registered User
|
|
Join Date: Aug 2012
Posts: 5
Time spent in forums: 1 h 11 m 15 sec
Reputation Power: 0
|
|
Quote: | Originally Posted by E-Oreo Your download links don't work for me. However, in addition to the SSLCertificateFile and SSLCertificateKeyFile directives, you should also have one called SSLCACertificateFile that points to the CA bundle provided by your certificate signer.
My guess is that the contents should look something like this:
Code:
-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0
...
-----END CERTIFICATE-----
But again, contact your certificate signer to obtain the actual CA bundle. |
I finally found it (actually 'them') 2 CA certificates. 
Here is their location: (first 2 files)
http://www.startssl.com/certs/
One is a x509 Certificate (DER) ca-bundle.crt file and the other is a x509 Certificate (PEM) ca-bundle.pem file. Which one should I use?
|
August 25th, 2012, 10:01 AM
|
|
Registered User
|
|
Join Date: Aug 2012
Posts: 5
Time spent in forums: 1 h 11 m 15 sec
Reputation Power: 0
|
|
Quote: | Originally Posted by MDTech.us_MAN I finally found it (actually 'them') 2 CA certificates.
Here is their location: (first 2 files)
http://www.startssl.com/certs/
One is a x509 Certificate (DER) ca-bundle.crt file and the other is a x509 Certificate (PEM) ca-bundle.pem file. Which one should I use? |
I tried both but when I tried ether, I get:
Code:
mirror2.mdtech.us uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
(Error code: sec_error_untrusted_issuer)
P.S. Is it possible to just use a simple PFX file in apache like I used in IIS?
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
