Bug 956863 - StartCOM SSL Level 1 SSL cert is trusted in Firefox but isn't trusted in curl or OpenSSL
StartCOM SSL Level 1 SSL cert is trusted in Firefox but isn't trusted in curl...
Product: Fedora
Classification: Fedora
Component: ca-certificates (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-04-25 15:36 EDT by Elad Alfassa
Modified: 2013-04-27 07:33 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-25 15:48:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Elad Alfassa 2013-04-25 15:36:02 EDT
Try to access https://cloud.eladalfassa.com/ with Firefox. The certificate validates successfully. If you use curl, on the other hand, you get "curl: (60) Peer's Certificate issuer is not recognized.", and with OpenSSL I get "    Verify return code: 21 (unable to verify the first certificate)".
with gnutls "- Status: The certificate is NOT trusted. The certificate issuer is unknown. "

You get the picture. It's not in our CA bundle.

This is a free Class 1 SSL cert obtained from https://www.startssl.com/ which is, at least according to Mozilla and Google, a trusted CA.

This used to work, but some recent change must have broken it - I suspect it's related to bug #927601

Reproducible on F18 as well.
Comment 1 Kai Engert (:kaie) 2013-04-25 15:48:08 EDT
Your server doesn't have the intermediate CA cert from Startcom installed.

If you try with firefox using a fresh profile, you will notice that it won't work either.

This isn't a bug, bug a server configuration issue. Find the FAQ from startcom that explains how to install the intermediate.
Comment 2 Stef Walter 2013-04-25 16:13:25 EDT
Here are the instructions for installing the intermediate: http://www.startssl.com/?app=20
Comment 3 Stef Walter 2013-04-27 07:33:27 EDT
Another related bug: https://bugzilla.redhat.com/show_bug.cgi?id=956701

It really seems like we used to distribute the intermediate as an anchor in the OpenSSL trust bundle. I need to verify this.

Note You need to log in before you can comment on or make changes to this bug.