4MACS-Will

Q: comodo ssl certificates failing

I don't know where to begin looking for an answer to this.

 

I have a Comodo SSL certificate installed on my mail server, hosted in my data center, completely controlled by me. The certificate is valid until September 2019.

 

Yesterday morning, I (attempted to) log into my mail server from my iPhone's hotspot, and I got a warning that the certificate was no longer valid. I did not continue, because I didn't have the time to troubleshoot things.

 

When I got back to my house, I also got the failure - computer number 2. Beginning to troubleshoot, I went to another service I used, got a certificate failure - and found that that service also used Comodo.

 

So far, both machines are running 10.10.3, fully patched.

 

When I got to my office, on my iMac running 10.9.5, there was no failure. It's on a Comcast connection.

 

Back at my house, I've found that EVERY website using a Comodo certificate is now failing.

 

 

 

 

 

The only server I can access the SSL Cert chain on is my mail server, and it is sending down the 4 certificates needed for proper security. And when verified by Comodo's certificate analyzer, it tests just fine.

 

I've asked others around the country to check my certificate - and nobody else sees a problem.

 

So this narrows down the problem to either my AT&T hotspot AND my Cox internet at my house, OR, a problem with 10.10.3.

 

I'm not inclined to think that both AT&T and Cox are colluding to prevent me from accessing secure sites from their connections. I'm more inclined to think something is up with my favorite OS EVER (NOT!), Yosemite.

 

Where do I begin looking for an answer to this problem?

iMac, OS X Yosemite (10.10.3)

Posted on May 10, 2015 6:21 AM

Close

Q: comodo ssl certificates failing

  • All replies
  • Helpful answers

  • by cdhw,Helpful

    cdhw cdhw May 10, 2015 6:11 PM in response to 4MACS-Will
    Level 4 (2,653 points)
    Servers Enterprise
    May 10, 2015 6:11 PM in response to 4MACS-Will

    Take a look at the 'COMODO RSA Certification Authority' certificate(s), which should be in your System Roots Keychain. Since your Mac(s) consider it invalid all the certificates below it in the chain will cease to be trusted.

     

    For reference, on my OS X 10.10.3 system I have one such certificate that expires on 31 Dec 2029 at 23:59. Its trust setting is 'Use System Defaults'.

     

    If that seems in order you could try Keychain first aid.

     

    Next, look into Keychain preferences at the certificate tab. Are OCSP and/or CRL on? If so, does turning them off (as an experiment, there are security implications)  'fix' the issue?

     

    C.

  • by 4MACS-Will,

    4MACS-Will 4MACS-Will May 10, 2015 6:13 PM in response to cdhw
    Level 1 (0 points)
    May 10, 2015 6:13 PM in response to cdhw

    I had one such certificate in System Roots; but there were 5 others in my login keychain. I have no idea where they came from, but removing them did indeed fix the problem.

     

    All were trusted (by default; not me over-riding the defaults) except for one which had been revoked.

     

    Thanks!

  • by 4MACS-Will,

    4MACS-Will 4MACS-Will May 10, 2015 6:22 PM in response to 4MACS-Will
    Level 1 (0 points)
    May 10, 2015 6:22 PM in response to 4MACS-Will
  • by 4MACS-Will,

    4MACS-Will 4MACS-Will May 18, 2015 5:58 PM in response to 4MACS-Will
    Level 1 (0 points)
    May 18, 2015 5:58 PM in response to 4MACS-Will

    Interestingly enough, the certificates were back in my Keychain today, and of course, all the Comodo certificates were failing again.

     

    I have no idea how they got in there, how they keep getting in there, or why it is happening.

     

    I know how to solve it, but why?

  • by Gabe Muffington,

    Gabe Muffington Gabe Muffington Jun 10, 2015 9:36 AM in response to cdhw
    Level 1 (5 points)
    Jun 10, 2015 9:36 AM in response to cdhw

    For extra insight:

     

    1. Two versions of "COMODO RSA Certification Authority" exist. The first one is a self-signed root, but is not bundled in 10.10's System Roots by default. The other newer version is an intermediate that uses "AddTrust External CA Root" as the system root, and AddTrust is in the System Roots.

    Screen Shot 2015-06-04 at 9-1.55.31 AM.png

     

    2. In my local reproduction of this issue, the "Use System Defaults" setting for the root-version of this comodo certificate in a login keychain does not actually mark the certificate as trusted. The drop down needs to be explicitly set to Trusted. You may notice that the icon has a red "X" when using the default, which turns to a blue "+" once it's explicitly trusted.

    3. If you have the root version of the comodo certificate added to your login keychain (still unsure what would have added it), it will leverage that version over the version AddTrust chain actually sent by the server, even if the root version is not marked as trusted.

  • by Octavio Velasco,

    Octavio Velasco Octavio Velasco Jan 26, 2016 8:46 PM in response to Gabe Muffington
    Level 1 (0 points)
    Jan 26, 2016 8:46 PM in response to Gabe Muffington

    I can confirm that I'm still experiencing the same exact issues with El Capitan (10.11).

     

    The weird thing is that MAIL app is the one that is failing. The same exact certiticate is used to secure a website and SAFARI does trust the certificate.

  • by FastGraph,

    FastGraph FastGraph May 10, 2016 11:53 AM in response to Octavio Velasco
    Level 1 (4 points)
    May 10, 2016 11:53 AM in response to Octavio Velasco

    I have the same issue on my two 10.11.3 machines, iPad and iPhone both on 9.3.1. What's weird is that the problem occurs every now and then and only with the Mail applications.

    Restarting Mail on all devices seems to temporarily solve the issue.

  • by plschmehl,

    plschmehl plschmehl Sep 15, 2016 10:49 PM in response to 4MACS-Will
    Level 1 (4 points)
    Sep 15, 2016 10:49 PM in response to 4MACS-Will

    The answer to use Keychain First Aid is not very helpful.  Keychain First Aid has been removed from El Capitan.

     

    As with others, I'm having this problem with any website that uses Comodo certs.  They show as invalid, even though the CA cert verifies in Keychain Access and is marked as valid.

     

    I did manage to get the websites at least working, by deleting all the certs in the login folder of Keychain Access, but the certs are still marked as invalid in Chrome.

     

    Chrome says the cert is signed by an unknown authority.

     

    I also get the following error:

    Certificate Error

    There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).