Red Hat Bugzilla – Bug 956863
StartCOM SSL Level 1 SSL cert is trusted in Firefox but isn't trusted in curl or OpenSSL
Last modified: 2013-04-27 07:33:27 EDT
Try to access https://cloud.eladalfassa.com/ with Firefox. The certificate validates successfully. If you use curl, on the other hand, you get "curl: (60) Peer's Certificate issuer is not recognized.", and with OpenSSL I get " Verify return code: 21 (unable to verify the first certificate)".
with gnutls "- Status: The certificate is NOT trusted. The certificate issuer is unknown. "
You get the picture. It's not in our CA bundle.
This is a free Class 1 SSL cert obtained from https://www.startssl.com/ which is, at least according to Mozilla and Google, a trusted CA.
This used to work, but some recent change must have broken it - I suspect it's related to bug #927601
Reproducible on F18 as well.
Your server doesn't have the intermediate CA cert from Startcom installed.
If you try with firefox using a fresh profile, you will notice that it won't work either.
This isn't a bug, bug a server configuration issue. Find the FAQ from startcom that explains how to install the intermediate.
Here are the instructions for installing the intermediate: http://www.startssl.com/?app=20
Another related bug: https://bugzilla.redhat.com/show_bug.cgi?id=956701
It really seems like we used to distribute the intermediate as an anchor in the OpenSSL trust bundle. I need to verify this.