Hi,
we have recently installed new Comodo SSL * certificate at our Juniper DX application accelerator, as a replacement for another Comodo expired one. The installaion was complete with the CA chain.
Most of our clients are communicating well with the application except for some Windows 7 / IE8 ones.
The error they are getting is: This website’s security certificate is not from a trusted source. The certificate they are getting is missing the whole CA chain path. The work around is by manully installing he intermdiate certificate “Comodo High Assurance Secure Server CA”, however, this cannot be a final solution as our users.
Certificate chain
0 s:/C=LB/postalCode=n/a/ST=n/a/L=Beirut/streetAddress=Bliss Street/2.5.4.18=11-0236/O=American University of Beirut/OU=Comodo PremiumSSL Wildcard/CN=*.aub.edu.lb
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High Assurance Secure Server CA
This tells us the chain is not installed. It needs to be installed as per the SSL/TLS RFCs (starting with 2246), the server must present the whole chain if the cert has one. This is why you are having a problem with some clients and not all.
The chain is installed, we made sure of that. The problem is detected by some Windows 7 / IE8 users and not all. There are no reported problems with XP/IE8 or firefox.
We have also opened a case with Juniper in parallel to see their feedback.
Would getting a certificate from the root CA at comodo, and not from an intermediata CA, bypasses this problem all together?
The problem is exactly as I have described above. Your “server”, may have the chain installed, but it is not presenting the intermediates that are needed to chain up to a trusted root properly. Once installing the chain, you may need to reboot the device.
You’re going to get mixed results from clients/browsers if they have seen our certs before as browsers and other clients tend to cache certs they have seen before. This explains why your Firefox users are seeing no issue.
Would getting a certificate from the root CA at comodo, and not from an intermediata CA, bypasses this problem all together?
Yes it would, but we’re no longer doing this as it is considered unsafe. All major CAs have moved away from this model to protect themselves.
We have merged the bundle file with the server certificate file to have a server certificate with the full list, then at the DX cluster config we have disabled “Autochain” and choose the fully chained server certificate file.
Before that, the DX with autochain enabled was trying from the certificate list it has to build itself the chain and it seems that it was not able to.
Thank you for all your help and the hints you provided that pointed us in the right direction.
The site is missing an Intermediate. (Comodo High-Assurance Secure Server CA). Once this file is installed on the server, Firefox will not have an issue with the server certificate and will be able to complete the chain of trust.
Recently our customer has bought Comodo SSL Certificate, and we have got the installation steps from internet and installed the Certificate successfully. The SSL is working on IE 6 fine, but it is not working properly on IE 7 and IE 8. The problem we are facing is our application web page Calendar is not opening properly (means getting Blank window). and Calendar is working with IP address URL (for example http://33.66.99.88:8082/xyz ) properly, but when we are trying to open by Domain URL (for example https://xyz.abc.com/8443/) here domain is “xyz.abc.com” . We can access the web page but in the web page Calenadr is not opening. We have tried with “InternetOptions → Security → ActiveX Controls and plug-ins → Allow Scriptlets” by changing this to “Enable”, the value change for this option is (i.e enable/disable) working for IP address URL but not with Domain URL.
Please help in solving this issue, because this is very critical issue for us.
