+++ This bug was initially created as a clone of Bug #1149901 +++ Description of problem: I have installed the SSL certificate and the Intermediate Certificate using the Management Console and while this appears to be working for Chrome and Safari, Firefox and IE are having issues and claim that it is an untrusted site. I've raised this issue with the SSL provider SSL.com and they have given me new files to add to my site truthmapping.com which I have done yet the problem persists. Their instructions are below but I can not do this directly as far as I'm aware. How can I get this site working in Firefox and IE? Their instructions: The file should be saved to a secure location; /etc/ssl/certs or a similar directory and specified in the following directive in the Apache configuration file: SSLCertificateChainFile /etc/ssl/certs/www_truthmapping_com.ca-bundle Version-Release number of selected component (if applicable): How reproducible: very Steps to Reproduce: 1. Visit the site with Firefox. 2. 3. Actual results: Expected results: Additional info: --- Additional comment from Fabiano Franz on 2014-10-06 16:59:42 EDT --- Please check if the workaround reported in the bug below helps: https://bugzilla.redhat.com/show_bug.cgi?id=985952 We have another report on a similar issue that is under investigation at the moment: https://bugzilla.redhat.com/show_bug.cgi?id=1147868 --- Additional comment from Jack on 2014-10-06 17:10:20 EDT --- I have combined those certs and submitted as one, then restarted the app. I see no change. Does this take some time? --- Additional comment from Jack on 2014-10-06 18:17:17 EDT --- Still no luck. More data: http://www.ssltools.com/certificate_lookup/www.truthmapping.com --- Additional comment from Jack on 2014-10-06 20:16:18 EDT --- Here is some contact info: Jack, I am confident that these new files should work. Please send them over and let us know if they have any problems with them. I have validated them using various tools to make sure they are correct. Fred Newtz SSL Sales & Support HelpdeskSSL Support Team support https://www.ssl.comSSL Support Team support http://www.ssl.com --- Additional comment from Jack on 2014-10-06 22:56:55 EDT --- This site is 'untrusted' to many people. Please advise. --- Additional comment from Fabiano Franz on 2014-10-07 16:57:45 EDT --- A hotfix will be published soon. Please try the following workaround (involves 2 commands to be performed on a Linux or Mac terminal): 1. Combine the certificate and chain files into one: cat www_truthmapping_com.crt DigiCertCA.crt > combined.pem Notice the file names may vary, the first one is the website-specific certificate file and second is the chain file, as received from your certificate issuer. This will result in a combined certificate file named "combined.pem". 2. Set the combined certificate using rhc: rhc alias update-cert <app_name> www.truthmapping.com --certificate combined.pem --private-key www.truthmapping.com.key Where <app_name> is the name of your openshift application. Again the private key file name may vary. If your private key requires a password you need to add in the end: --passphrase <passphrase> Let us know the results. --- Additional comment from Jack on 2014-10-07 17:29:06 EDT --- Results: > rhc alias update-cert live www.truthmapping.com --certificate combined.pem --private-key tmap.key Invalid private key or pass phrase: Could not parse PKey: no start line Do I need another param for the pass phrase? --- Additional comment from Jack on 2014-10-07 17:32:33 EDT --- Doh. Just saw your last comment. With passphrase I get: SSL certificate successfully added. I'm in. Thank you! --- Additional comment from Jack on 2014-10-07 17:38:45 EDT --- Hmm. This still doesn't look good, no? http://www.ssltools.com/certificate_lookup/www.truthmapping.com --- Additional comment from openshift-github-bot on 2014-10-07 18:21:55 EDT --- Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/a475004bede3f2ed476cf8bcbad46a1cbac4a393 Bug 1149901 - add missing line break to certificate files --- Additional comment from Fabiano Franz on 2014-10-07 21:13:36 EDT --- Yes, you are good now. I prefer https://www.digicert.com/help/ which gives you more detailed information. You can also open Firefox with a new profile to make sure you don't have any certificate history, then open your website to confirm it doesn't warn by invalid certificate (use 'firefox -ProfileManager' and create a new profile). A fix has been pushed to our repository and will be in openshift.com soon. (In reply to Jack from comment #9) > Hmm. This still doesn't look good, no? > http://www.ssltools.com/certificate_lookup/www.truthmapping.com --- Additional comment from Fabiano Franz on 2014-10-07 21:15:36 EDT --- Fixed in https://github.com/openshift/origin-server/pull/5857 --- Additional comment from Jack on 2014-10-07 22:26:54 EDT --- I like the answer back from the digicert site better also. ;) --- Additional comment from Yujie Zhang on 2014-10-08 04:35:16 EDT --- Tested on devenv_5218, the ssl chain can be added successfully, so verify this bug, thanks.
Verified on 2.2/2014-10-15.1. Steps to verify: 1.Produce ssl certificate files ca-int.crt and server.crt. 2.On website, add ssl certificate file to app alias. Tried two methods, the one:Directly add the ca-int.crt to the "SSL Certificate Chain" form and add the server.crt to the "SSL Certificate" form. Tho other, Combine the certificate and chain files into one,than add the combined file in "SSL Certifivate" form. Actual results: 2.Add successfully.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2014-1796.html