Hi,
On new installation of Firefox we cannot connect to https://www.qlustar.com. The cause is missing intermediate certificate in server certificate chain response. By using
openssl s_client -connect www.qlustar.com:443
we can see very strange chain:
Certificate chain 0 s:CN = www.qlustar.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
Let's Encrypt have different intermediate certificate.
Regards, Rolandas
P.S. It also caused problems with wget/curl to download files from your site.
"R" == Rolandas rolnas@gmail.com writes:
Hi Rolandas,
thanks for reporting. Can you please confirm that it works flawlessly now? There was an active left-over config option SSLCertificateChainFile pointing to an old certificate chain file.
Best,
Roland
R> Hi, On new installation of Firefox we cannot connect to R> https://www.qlustar.com. The cause is missing intermediate R> certificate in server certificate chain response. By using
R> openssl s_client -connect www.qlustar.com:443
R> we can see very strange chain:
R> Certificate chain R> 0 s:CN = www.qlustar.com R> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 R> 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA R> Limited, CN = COMODO RSA Domain Validation Secure Server CA R> i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA R> Limited, CN = COMODO RSA Certification Authority R> 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA R> Limited, CN = COMODO RSA Certification Authority R> i:C = SE, O = AddTrust AB, OU = AddTrust External TTP R> Network, CN = R> AddTrust External CA Root
R> Let's Encrypt have different intermediate certificate.
R> Regards, Rolandas
R> P.S. It also caused problems with wget/curl to download files R> from your site.
Hi,
On 04/06/2019 11.22, Roland Fehrenbacher wrote:
"R" == Rolandas rolnas@gmail.com writes:
Hi Rolandas,
thanks for reporting. Can you please confirm that it works flawlessly now? There was an active left-over config option SSLCertificateChainFile pointing to an old certificate chain file.
But you need to have different chainfile with Let's Encrypt certificate full chain. Now I see only www.qlustar.com certificate in chain.
Regards, Rolandas
Best,
Roland
R> Hi, On new installation of Firefox we cannot connect to R> https://www.qlustar.com. The cause is missing intermediate R> certificate in server certificate chain response. By using R> openssl s_client -connect www.qlustar.com:443 R> we can see very strange chain: R> Certificate chain R> 0 s:CN = www.qlustar.com R> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 R> 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA R> Limited, CN = COMODO RSA Domain Validation Secure Server CA R> i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA R> Limited, CN = COMODO RSA Certification Authority R> 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA R> Limited, CN = COMODO RSA Certification Authority R> i:C = SE, O = AddTrust AB, OU = AddTrust External TTP R> Network, CN = R> AddTrust External CA Root R> Let's Encrypt have different intermediate certificate. R> Regards, Rolandas R> P.S. It also caused problems with wget/curl to download files R> from your site.
Qlustar-General mailing list -- qlustar-general@qlustar.org To unsubscribe send an email to qlustar-general-leave@qlustar.org
"R" == Rolandas rolnas@gmail.com writes:
R> Hi, On 04/06/2019 11.22, Roland Fehrenbacher wrote: >>>>>>> "R" == Rolandas rolnas@gmail.com writes: >> >> Hi Rolandas, >> >> thanks for reporting. Can you please confirm that it works >> flawlessly now? There was an active left-over config option >> SSLCertificateChainFile pointing to an old certificate chain >> file.
R> But you need to have different chainfile with Let's Encrypt R> certificate full chain. Now I see only www.qlustar.com R> certificate in chain.
We have the recommended Let's Encrypt config settings. Also Firefox doesn't complain here, neither with qlustar.com nor www.qlustar.com after commenting out the false SSLCertificateChainFile (chrome is happy too). So I don't really see a problem anymore.
-
Roland Fehrenbacher -
Rolandas