First Last Prev Next    This bug is not in your last search results.
Bug 956863 - StartCOM SSL Level 1 SSL cert is trusted in Firefox but isn't trusted in curl or OpenSSL
StartCOM SSL Level 1 SSL cert is trusted in Firefox but isn't trusted in curl...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: ca-certificates (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-25 15:36 EDT by Elad Alfassa
Modified: 2013-04-27 07:33 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-25 15:48:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Elad Alfassa 2013-04-25 15:36:02 EDT 
Try to access https://cloud.eladalfassa.com/ with Firefox. The certificate validates successfully. If you use curl, on the other hand, you get "curl: (60) Peer's Certificate issuer is not recognized.", and with OpenSSL I get "    Verify return code: 21 (unable to verify the first certificate)".
with gnutls "- Status: The certificate is NOT trusted. The certificate issuer is unknown. "

You get the picture. It's not in our CA bundle.


This is a free Class 1 SSL cert obtained from https://www.startssl.com/ which is, at least according to Mozilla and Google, a trusted CA.


This used to work, but some recent change must have broken it - I suspect it's related to bug #927601

Reproducible on F18 as well.
Comment 1 Kai Engert (:kaie) 2013-04-25 15:48:08 EDT 
Your server doesn't have the intermediate CA cert from Startcom installed.

If you try with firefox using a fresh profile, you will notice that it won't work either.

This isn't a bug, bug a server configuration issue. Find the FAQ from startcom that explains how to install the intermediate.
Comment 2 Stef Walter 2013-04-25 16:13:25 EDT 
Here are the instructions for installing the intermediate: http://www.startssl.com/?app=20
Comment 3 Stef Walter 2013-04-27 07:33:27 EDT 
Another related bug: https://bugzilla.redhat.com/show_bug.cgi?id=956701

It really seems like we used to distribute the intermediate as an anchor in the OpenSSL trust bundle. I need to verify this.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.