You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Tovo Gianluca <gi...@telecomitalia.it> on 2004/03/09 10:42:39 UTC

[users@httpd] RE: Certificate not recognized by browsers

Hi Ronald,
it seems that you just didn't show your intermediate CA certificate to the server.
Here your three certs, root (IPS SERVIDORES), CA (ipsCA A1), server (server).
Root and server is OK, but your server should propose also the intermediate CA to the client so it can resolve the entire cert path.
Check the CA cert statement in config file.

Bye



Gianluca Tovo
Telecom Italia Information Technology S.p.A.
OSS&VAS Solutions - IT Security Products & Services
S.S.148 Pontina, Km 29.100 00040 Pomezia (RM)
phone +39 06 91197426
fax +39 06 91197331
mobile  +39 335 5792708


> -----Original Message-----
> Date: Mon, 8 Mar 2004 11:00:30 -0800
> To: users@httpd.apache.org
> From: fjan245@superiorshelving.com
> Subject: [OT]  Certificate not recognized by browsers
> Message-Id: 
> <DE...@superiorshelving.com>
> 
> Hi All,
> 
>    I realize this is not an Apache problem, but I was hoping someone  
> could point me in the right direction.  We got a secure certificate  
> from ipsCA and it refuses to be recognized by IE, Netscape, Mozilla,  
> and Camino.  According to their web site, the intermediate 
> certificate  
> must not be installed incorrectly, but I'm 99.9% sure that it is.
> 
>    Is there a problem with certs from ipsCA?  They are listed in the  
> Security preference panel in IE, so they should be legit.  Or 
> is it a  
> problem with intermediate certificates in general?  If it is, what  
> would be the point of buying one, if the majority of browsers 
> complain?
> 
>    If anyone wants to see it for themselves, here is the link:
> http://www.nexelshelving.com/cgi-bin/surfshop1/shop.cgi? 
> c=start.htm&storeid=1
> 
> Put something in the cart and click the check out button to see the  
> message.  Do not complete the checkout process, that is, of 
> course, you  
> want to buy some shelving!  =;)
> 
>    We're running Apache 2.0.48 on Mac OX 10.3.1.  I'm 
> desperate.  Our  
> bank is holding our funds until we get rid of the error message that  
> pops up in the browser.  If someone can help us out, I'd be 
> extremely  
> grateful.
> 
> Ronald
> 
> ------------------------------


--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to webmaster@telecomitalia.it.
        Thank you
                                        www.telecomitalia.it
--------------------------------------------------------------------

Re: [users@httpd] RE: Certificate not recognized by browsers

Posted by fj...@superiorshelving.com.

Salve Gianluca,

> it seems that you just didn't show your intermediate CA certificate to 
> the server.

   That's what I thought, too, but according to ipsCA's testing web page 
<< http://certs.ipsca.com/checkserver/ >>, everything appears to be 
O.K.

> Here your three certs, root (IPS SERVIDORES), CA (ipsCA A1), server 
> (server).
> Root and server is OK, but your server should propose also the 
> intermediate CA to the client so it can resolve the entire cert path.

   According to ipsCA << 
http://certs.ipsca.com/Support/CSRApache-MOD-SSL.asp >>, Apache users 
only need two certs [one of them is a bundled cert].  I've installed 
both, along with my key, and I _think_ I've done it correctly, but you 
never know.  I'm still new to this.

> Check the CA cert statement in config file.

   Here that section from my ssl.conf file:

<VirtualHost secure.nexelshelving.com:443>
#  General setup for the virtual host
     DocumentRoot "/etc/apache/htdocs/nexelshelving"
    #ServerName has to match the server you entered into the CSR
     ServerName secure.nexelshelving.com:443
     ServerAdmin you@your.address
     ErrorLog /etc/apache/logs/ssl/nexelshelving/ssl_engine_log
     TransferLog /etc/apache/logs/access_log
   SSLEngine on
   SSLProtocol all -SSLv3
   SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateKeyFile   /etc/apache/ssl/certs/server.key
SSLCertificateFile      /etc/apache/ssl/private/server.crt
SSLCertificateChainFile /etc/apache/ssl/private/IPS-IPSCABUNDLE.crt
</VirtualHost>

Thanks,
Robert


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org