Description of problem: I have installed the SSL certificate and the Intermediate Certificate using the Management Console and while this appears to be working for Chrome and Safari, Firefox and IE are having issues and claim that it is an untrusted site. I've raised this issue with the SSL provider SSL.com and they have given me new files to add to my site truthmapping.com which I have done yet the problem persists. Their instructions are below but I can not do this directly as far as I'm aware. How can I get this site working in Firefox and IE? Their instructions: The file should be saved to a secure location; /etc/ssl/certs or a similar directory and specified in the following directive in the Apache configuration file: SSLCertificateChainFile /etc/ssl/certs/www_truthmapping_com.ca-bundle Version-Release number of selected component (if applicable): How reproducible: very Steps to Reproduce: 1. Visit the site with Firefox. 2. 3. Actual results: Expected results: Additional info:
Please check if the workaround reported in the bug below helps: https://bugzilla.redhat.com/show_bug.cgi?id=985952 We have another report on a similar issue that is under investigation at the moment: https://bugzilla.redhat.com/show_bug.cgi?id=1147868
I have combined those certs and submitted as one, then restarted the app. I see no change. Does this take some time?
Still no luck. More data: http://www.ssltools.com/certificate_lookup/www.truthmapping.com
Here is some contact info: Jack, I am confident that these new files should work. Please send them over and let us know if they have any problems with them. I have validated them using various tools to make sure they are correct. Fred Newtz SSL Sales & Support HelpdeskSSL Support Team support https://www.ssl.comSSL Support Team support http://www.ssl.com
This site is 'untrusted' to many people. Please advise.
A hotfix will be published soon. Please try the following workaround (involves 2 commands to be performed on a Linux or Mac terminal): 1. Combine the certificate and chain files into one: cat www_truthmapping_com.crt DigiCertCA.crt > combined.pem Notice the file names may vary, the first one is the website-specific certificate file and second is the chain file, as received from your certificate issuer. This will result in a combined certificate file named "combined.pem". 2. Set the combined certificate using rhc: rhc alias update-cert <app_name> www.truthmapping.com --certificate combined.pem --private-key www.truthmapping.com.key Where <app_name> is the name of your openshift application. Again the private key file name may vary. If your private key requires a password you need to add in the end: --passphrase <passphrase> Let us know the results.
Results: > rhc alias update-cert live www.truthmapping.com --certificate combined.pem --private-key tmap.key Invalid private key or pass phrase: Could not parse PKey: no start line Do I need another param for the pass phrase?
Doh. Just saw your last comment. With passphrase I get: SSL certificate successfully added. I'm in. Thank you!
Hmm. This still doesn't look good, no? http://www.ssltools.com/certificate_lookup/www.truthmapping.com
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/a475004bede3f2ed476cf8bcbad46a1cbac4a393 Bug 1149901 - add missing line break to certificate files
Yes, you are good now. I prefer https://www.digicert.com/help/ which gives you more detailed information. You can also open Firefox with a new profile to make sure you don't have any certificate history, then open your website to confirm it doesn't warn by invalid certificate (use 'firefox -ProfileManager' and create a new profile). A fix has been pushed to our repository and will be in openshift.com soon. (In reply to Jack from comment #9) > Hmm. This still doesn't look good, no? > http://www.ssltools.com/certificate_lookup/www.truthmapping.com
Fixed in https://github.com/openshift/origin-server/pull/5857
I like the answer back from the digicert site better also. ;)
Tested on devenv_5218, the ssl chain can be added successfully, so verify this bug, thanks.
Has this been fixed on Openshift Online yet because when I try to follow the same instructions it says "SSL certificate successfully added." but Firefox is still saying: www.mydomain.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) I have done: cat ssl.crt sub.class1.server.ca.pem > combined.pem It is a StartSSL certificate - they suggested using the .pem file rather than the sub.class1.server.ca.crt which they said was DER encoded. then: rhc alias update-cert <app_name> www.mydomain.com --certificate combined.pem --private-key ssl.key --passphrase <passphrase> but no joy.
According to StartSSL guys: "Apparently you are using a Apache - you have to configure it differently according to http://www.startssl.com/?app=21" Is that correct or should the StartSSL certificate work anyway?
Has something changed recently because it is now saying that the certificate is now correctly installed and looks to be ok when accessed via firefox on opensuse? Or should it have taken a few days for the certificate to apply itself correctly after uploading it?