Bug 956863 - StartCOM SSL Level 1 SSL cert is trusted in Firefox but isn't trusted in curl or OpenSSL
Summary: StartCOM SSL Level 1 SSL cert is trusted in Firefox but isn't trusted in curl...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: ca-certificates
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-25 19:36 UTC by Elad Alfassa
Modified: 2013-04-27 11:33 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-04-25 19:48:08 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Elad Alfassa 2013-04-25 19:36:02 UTC
Try to access https://cloud.eladalfassa.com/ with Firefox. The certificate validates successfully. If you use curl, on the other hand, you get "curl: (60) Peer's Certificate issuer is not recognized.", and with OpenSSL I get "    Verify return code: 21 (unable to verify the first certificate)".
with gnutls "- Status: The certificate is NOT trusted. The certificate issuer is unknown. "

You get the picture. It's not in our CA bundle.


This is a free Class 1 SSL cert obtained from https://www.startssl.com/ which is, at least according to Mozilla and Google, a trusted CA.


This used to work, but some recent change must have broken it - I suspect it's related to bug #927601

Reproducible on F18 as well.

Comment 1 Kai Engert (:kaie) (inactive account) 2013-04-25 19:48:08 UTC
Your server doesn't have the intermediate CA cert from Startcom installed.

If you try with firefox using a fresh profile, you will notice that it won't work either.

This isn't a bug, bug a server configuration issue. Find the FAQ from startcom that explains how to install the intermediate.

Comment 2 Stef Walter 2013-04-25 20:13:25 UTC
Here are the instructions for installing the intermediate: http://www.startssl.com/?app=20

Comment 3 Stef Walter 2013-04-27 11:33:27 UTC
Another related bug: https://bugzilla.redhat.com/show_bug.cgi?id=956701

It really seems like we used to distribute the intermediate as an anchor in the OpenSSL trust bundle. I need to verify this.


Note You need to log in before you can comment on or make changes to this bug.