Bug 956863

Summary: StartCOM SSL Level 1 SSL cert is trusted in Firefox but isn't trusted in curl or OpenSSL
Product: [Fedora] Fedora Reporter: Elad Alfassa <elad>
Component: ca-certificatesAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: jorton, kengert, pwouters, stefw, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-25 19:48:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Elad Alfassa 2013-04-25 19:36:02 UTC 
Try to access https://cloud.eladalfassa.com/ with Firefox. The certificate validates successfully. If you use curl, on the other hand, you get "curl: (60) Peer's Certificate issuer is not recognized.", and with OpenSSL I get "    Verify return code: 21 (unable to verify the first certificate)".
with gnutls "- Status: The certificate is NOT trusted. The certificate issuer is unknown. "

You get the picture. It's not in our CA bundle.


This is a free Class 1 SSL cert obtained from https://www.startssl.com/ which is, at least according to Mozilla and Google, a trusted CA.


This used to work, but some recent change must have broken it - I suspect it's related to bug #927601

Reproducible on F18 as well.
Comment 1 Kai Engert (:kaie) (inactive account) 2013-04-25 19:48:08 UTC 
Your server doesn't have the intermediate CA cert from Startcom installed.

If you try with firefox using a fresh profile, you will notice that it won't work either.

This isn't a bug, bug a server configuration issue. Find the FAQ from startcom that explains how to install the intermediate.
Comment 2 Stef Walter 2013-04-25 20:13:25 UTC 
Here are the instructions for installing the intermediate: http://www.startssl.com/?app=20
Comment 3 Stef Walter 2013-04-27 11:33:27 UTC 
Another related bug: https://bugzilla.redhat.com/show_bug.cgi?id=956701

It really seems like we used to distribute the intermediate as an anchor in the OpenSSL trust bundle. I need to verify this.