SSL Certificate Chain of trust broken
OS X Server 10.6
I spent countless hours trying to figure out why I could not get a clean chain of trust from port 443 (apache). Yet it was perfect on port 993 (dovecot). No browser I could find had the slightest problem with the cert, but it appeared to point back to itself as the first stop to the root. Wrong...
It turns out that inside /etc/certificates/ the "chain.pem" file started out with a repeat of the host certificate! Thus the host pointed to the chain, which repeated the host first before it got to the intermediate certs. To fix this, I simply removed the top certificate from the chain.pem file, and Eureka!, no more chain of trust errors.
I really don't know if this is a problem with Apple's implementation of Apache, but I suspect it is a bug in certificate installation script in ServerAdmin, incorrectly adding the host cert to the chain cert file. The apache ssl files looked fine to me. Really simple to fix, once you realize what is happening. I've left feedback.
Thanks to the ssl tool at digicert.com/help that displayed all stops on the path. I would've never figured it out otherwise! GoDaddy help on the topic was completely useless (but the cert was really cheap)
I spent countless hours trying to figure out why I could not get a clean chain of trust from port 443 (apache). Yet it was perfect on port 993 (dovecot). No browser I could find had the slightest problem with the cert, but it appeared to point back to itself as the first stop to the root. Wrong...
It turns out that inside /etc/certificates/ the "chain.pem" file started out with a repeat of the host certificate! Thus the host pointed to the chain, which repeated the host first before it got to the intermediate certs. To fix this, I simply removed the top certificate from the chain.pem file, and Eureka!, no more chain of trust errors.
I really don't know if this is a problem with Apple's implementation of Apache, but I suspect it is a bug in certificate installation script in ServerAdmin, incorrectly adding the host cert to the chain cert file. The apache ssl files looked fine to me. Really simple to fix, once you realize what is happening. I've left feedback.
Thanks to the ssl tool at digicert.com/help that displayed all stops on the path. I would've never figured it out otherwise! GoDaddy help on the topic was completely useless (but the cert was really cheap)
MBP 17, MBP 15 i7, Powerbook G4, iMac 20, Mini OS X Server, 32gig iPhone4, Mac OS X (10.6)