Author Topic: SSL root certificate not trusted?  (Read 4852 times)

Offline lennertk

  • Newbie
  • *
  • Posts: 1
SSL root certificate not trusted?
« on: August 25, 2015, 04:50:54 AM »
Hi,

We moved the website of one of our customers to a new datacenter and uploaded the certificate chain of the Comodo SSL certificate to the new loadbalancer. All seemed to be fine but we are now getting reports that some users (all on a mac seems) are getting the warning that "the site is not secure, are you sure to proceed?" message. We are confused because the same certificate worked fine before.

We are using the the following chain:
- Server ssl certificate
- Comodo RSA Organization Validation Secure Server CA
   36:82:5E:7F:B5:A4:81:93:7E:F6:D1:73:6B:B9:3C:A6
- Comodo RSA Certification Authority
  4C:AA:F9:CA:DB:63:6F:E0:1F:F7:4E:D8:5B:03:86:9D

We have also tested the site with some SSL checkers. Some sites report no errors but others report that the Comodo RSA Certification Authority is not trusted.

Is there something wrong with this chain? Or we missing a certificate?

regards,
Lennert

Offline victor.bexelius

  • Newbie
  • *
  • Posts: 4
Re: SSL root certificate not trusted?
« Reply #1 on: August 28, 2015, 02:49:54 AM »
Hi,
this might not help you - but I thought Id at least give you my experience:

I am on Mac OSX -> using Chrome.

Following issues:

1. Certificate is not safe due to old SHA-1 algorithm (Chrome is the only browser that will notice this - tested on opera, safari, firefox and IE)
Fix: Buy a new certificate and choose SHA-2 in the options on order page

2. You might have missed to move one of the dependancies of the certificate files (there are 3 that is needed for a complete chain)
Fix: Make sure you really moved all the chain files

Hope this helps, else I would check the permissions on the chain-files to rule out any server-side configuration issues. Also double-check + verify file-path to chain files in the site-config.

Best regards

Victor

Offline cbx

  • Newbie
  • *
  • Posts: 6
Re: SSL root certificate not trusted?
« Reply #2 on: September 17, 2015, 01:56:11 AM »
This may be relevant. I have a Mac running OS X Yosemite v 10.10.5.
The keychain on my Mac has a Root certificate authority SN: 4E 81 2D 8A 82 65 E0 0B 02 EE 3E 35 02 46 E5 3D that expires Monday, December 31, 2029.

We recently had a new SSL certificate installed on our server and Safari complained that the Root certificate is not trusted. The SN on the SSL certificate's Root certificate authority is: 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D and expires Monday, January 18, 2038. Our new certificate is SHA2 and matches the SN of the root certificate authority used by lennertk, so I would guess his is SHA2. I'm still learning so that may not be a good guess.

To lennertk, is it the same people who visited your site earlier and they are just now reporting certificate trust issues? Or could it be different people. In fact that may not matter - I myself used to just say to trust the site and have the browser continue, but now that it is happening on our server I'm addressing the issue. It could be that other people are starting to complain where they used to let it go.

Since my Macintosh had one Root certification authority in the keychain, and a new cert installed on our server had a different root certification authority not in the keychain, and since other Macintosh computers at my workplace have the same issue, I would think it fairly probable that the same issue is more widespread.

If that is the case, I'm not sure how to suggest this, and in fact it may already be addressed -- it seems COMODO probably has addressed the issue because I don't see the problem with other browsers so perhaps this needs to be addressed to Apple.

Still, somewhere, something has been missed and I would appreciate it if there are multiple valid root certificate authorities by COMODO that COMODO would work with Apple and other major browser manufacturers to be sure  that all certificates are recognized as valid in the MAC keychain in addition to that of the other methods used by other browser manufacturers.

I'm not sure if it is possible, but it would be nice if a moderator from the COMODO staff could address this so we can find out where things stand.

Best,
Curtis

Offline cbx

  • Newbie
  • *
  • Posts: 6
Re: SSL root certificate not trusted?
« Reply #3 on: September 18, 2015, 12:20:56 PM »
Lennert's first post was August 25, so about 3 and a half weeks ago.

We host through HostGator, which is part of the reason why we have a COMODO SSL certificate. The president of my company suggested that perhaps we get a third party SSL certificate and install that considering
  • the amount of time we have already spent on this
  • potential lost customers
  • uncetainty in when this will be answered - much less when the issue will be fixed

If the issue is in fact that the root certificate is untrusted on Apple computers and IOS devices because it is not in the keychain, which appears to be the issue because when I add the root certificate to the keychain the message about not being trusted goes away, then it is an issue that should not have been an issue. COMODO should have made sure that it got added to the key chain by Apple. It should have never been an issue.

Hopefully COMODO considers their products worth following up on to be sure they work properly. And hopefully COMODO looks at this in the light of "how they can do better".

Best regards,
-Curtis

Offline cbx

  • Newbie
  • *
  • Posts: 6
Re: SSL root certificate not trusted?
« Reply #4 on: September 21, 2015, 12:53:09 PM »
Still no replies from someone who works with COMODO and could give an informed reply.

Just an update on our side. HostGator told us that for some reason the new certificate was still based on SHA1 - and we got the replacement certificate because a payment gateway we use said they were moving from SHA1 based certificates and all users of their services needed to make the change to SHA2 based certificates by 25 September.

HostGator said they removed the root certificate and set up the SSL certificate with just the COMODO intermediate certificate.

Things work, but having gone through all that and find that COMODO is still issuing certificates and certificate bundles still have a SHA1 based certificate, we're going to think again about getting a 3rd party certificate once ours come up for renewal.

-Curtis

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek