Verisign Intermediate CA issues

Sat Jan 24 18:04:42 MSK 2009

On Fri, Jan 23, 2009 at 01:36:33PM -0800, Gabriel Ramuglia wrote:

> Here's what I have:
> 
>                     ssl                 on;
>                     ssl_certificate
> /home/video/certs/video.freeproxies.org.crt;
>                     ssl_certificate_key
> /home/video/certs/video.freeproxies.org.key;
> 
>                     ssl_session_timeout  5m;
> 
>                     ssl_protocols  SSLv2 SSLv3 TLSv1;
>                     ssl_ciphers
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
>                     ssl_prefer_server_ciphers   on;
> 
> I haven't noticed any particular issues, but haven't tested in safari.
> Would be interested to know if you get the same issue with mine (seems
> my config is slightly different).
> 
> https://video.freeproxies.org/flvplayer.php is a good test url.

The site sends video.freeproxies.org certificate only without GoDaddy
intermidiate certificates. Firefox 3.1 on MacOSX run with fresh profile
does not accept the site. Firefox with daily used profile usually accepts
the site as the GoDaddy intermidiate certificate may be already in
Firefox profile.

You need to go on
https://certs.godaddy.com/Repository.go

and download GoDaddy intermidiate certificate chain:
https://certs.godaddy.com/repository/gd_bundle.crt

Then you need to

cat video.freeproxies.org.crt gd_bundle.crt > video.freeproxies.org.bundle.crt

and use the new bundle

       ssl_certificate  /home/video/certs/video.freeproxies.org.bundle.crt;

> On Fri, Jan 23, 2009 at 1:02 PM, James Ochs <james.ochs at greennote.com> wrote:
> > Hi all,
> >
> > We have a verisign ssl cert and I've configured nginx with the .crt file
> > containing our cert and the verisign intermediate cert (in that order in the
> > file)
> >
> > In MacOs  safari, both on the desktop and the iphone, I am getting
> > certificate errors (can't verify the identity).  Firefox on the same
> > platform says the certificate is ok, and IE in most cases says it is ok.  I
> > have had a couple of reports of IE7 complaining about the validity of the
> > certificate, but that has been sporadic.  I've also checked it with curl (on
> > linux and macos) and it complains as follows:
> >
> > curl https://www.greennote.com
> > curl: (60) Peer certificate cannot be authenticated with known CA
> > certificates
> >
> > Does anyone have any ideas of why this would happen?
> >
> > My nginx.conf has this for ssl:
> >
> >            ssl                  on;
> >            ssl_certificate      /etc/nginx/www.crt;
> >            ssl_certificate_key  /etc/nginx/prod.key;
> >
> >            ssl_session_timeout  10m;
> >            ssl_session_cache    shared:SSL:10m;
> >
> >            ssl_protocols  SSLv3 TLSv1;
> >            ssl_ciphers
> >  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:+EXP;
> >            ssl_prefer_server_ciphers   on;
> >
> > This problem was not happening on our hardware load balancers with the same
> > certificate, so I'm at a loss as to what to try next.
> >
> > thanks,
> > james
> >
> > --
> > James Ochs
> > Network Operations Manager
> > james.ochs at greennote.com
> > KeyID: 0x6E7BBE9D
> >
> >
> >

-- 
Igor Sysoev
http://sysoev.ru/en/