Busted SSL or busted browser?


(Nick Caldwell) #1

So I have a small testing Docker/Discourse on Digital Ocean tootling along fairly well, but I’ve neglected it for a couple of weeks. Today I tried to access it to find that it won’t load, or rather Safari can’t negotiate a secure connection to the site.

I took the following steps:

  1. I inspected nginx error logs inside the Docker container (nothing)
  2. I destroyed and rebuilt the container
  3. I rebooted the server

No joy. On a whim I tried loading the site in Firefox, and lo and behold it works fine. Still not the case in Safari, however.

I’ve secured the site with a COMODO cert, from StartSSL, if I recall correctly. Safari is 7.0.6 on Mavericks.

Edit: site is at https://furiousrobot.com


(Jeff Atwood) #2

Loads fine in IE11, at least.


(Nick Caldwell) #3

Chrome chokes on it. “This certificate was signed by an unknown authority” Bah, I must have mis-configured the cert? Which logs should I be looking at?


(Jeff Atwood) #4

Loads fine for me in Chrome on Windows so if anything this must be Mac specific.


(Nick Caldwell) #5

I have a feeling I messed up my intermediate certificate somewhere along the line, by, uh, probably not creating it. But I don’t get why Windows isn’t bothered.


(Nick Caldwell) #6

OK, re-concatenated the .crt file etc, rebuilt with launcher yadda yadda yadda, no joy. Now also testing on iPhone, loads fine. Must be a keychain foul-up and Firefox just don’t give a damn.


(Sam Saffron) #7

One possibility not a Firefox issue but something about your computer, maybe a crt is somehow installed locally.


(Gerhard Schlager) #8

The check at SSL Labs shows that there is indeed a problem with the certificate chain.
Looks like you need two intermediate certificates. However, your server sends just one intermediate certificate and the root certificate. You should remove the root certificate (it is not necessary) and add the missing intermediate certificate instead.


(Nick Caldwell) #9

Yes, I re-concatenated the certificates provided today, but I think I got them in the wrong order. It’s actually not clear which of the two intermediates should go first, but I suppose the documentation should provide that if I dig a bit further. Thanks for the link to the checker, very useful.


(Kane York) #10

You’re missing the COMODO RSA Domain Validation Secure Server CA certificate, and mistakenly including the AddTrust External CA Root.

The concatenation should be:

cat furious-robot.crt comodo-domain-validation.crt comodo-cert-authority.crt

(Nick Caldwell) #11

OK, so the package I got from the SSL cert vendor had the following file names:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
furiousrobot_com.crt

So in that case would it be

cat furiousrobot_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt 

?


(Kane York) #12

Seems right to me… Try putting that up and run SSLTest again.


(Jeff Atwood) #13

This check is great, I added it to the bottom of our howto on SSL config in Discourse. Thanks for that!