now the https webpage works on chrome, safari, edge & yandex. however, my friends at Mozilla dont seem to approve.
also, i went to the “StartCom CA Certificates” page, downloaded “StartCom Root CA (PEM encoded)” and then clicked the “CA Certificate” – which now we see this:
Certificate authority name StartCom Certification Authority
Organization StartCom Ltd.
Issuer name StartCom Certification Authority
Issuer organization StartCom Ltd.
Expiry date Sep 17 19:46:36 2036 GMT
Certificate type Self-signed
my question: is my mistake (aside from getting into tech) using a cheapie like StartSSL rather than a more recognizable service?
thank you very much PaliGap - what is confusing me is why FF is complaining but nobody else is.
i ran your test and one from digicert as well. both advised me to disable SSLv3 which i did. i now have a letter grade of “B” on digicert.
the Qualys now tells me this:
Protocol Support
TLS 1.0, TLS 1.1, TLS 1.2
SSL certificate
Common Name = www.marksTEST(dot)com
Subject Alternative Names = blah blah
Issuer = StartCom Class 1 Primary Intermediate Server CA
Serial Number = blah blah
SHA1 Thumbprint = blah blah blah blah blah
Key Length = 2048 bit
Signature algorithm = SHA256 + RSA (excellent)
Secure Renegotiation: Supported
This certificate does not use a vulnerable Debian key (this is good)
SSL Certificate has not been revoked
OCSP Staple:
OCSP Origin:
CRL Status:
SSL Certificate expiration
The certificate expires December 2, 2016 (363 days from today)
Certificate Name matches marksTest(dot)com
Subject www.marksTest(dot)com
Valid from 03/Dec/2015 to 02/Dec/2016
Issuer StartCom Class 1 Primary Intermediate Server CA
SSL Certificate is correctly installed
Congratulations! This certificate is correctly installed.
FF still gives me “Error code: sec_error_unknown_issuer” - which is why i am tempted to try Comodo instead.
It may not be your certificate - it may be something like a poor cipher setup in Apache perhaps?
I should think something like this would cause another browser to complain, or digicert.com/SSLlabs.com to report it.
EDIT: another site on the same server works fine on firefox but i used Comodo for that one. or maybe it just takes a little time for the SSLv3 being disabled to take affect ?
This server's certificate chain is incomplete. Grade capped to B.
PaliGap - i logged into StartSSL, went to “StartCom CA Certificate” - which of these options did you choose?
StartCom Root CA (PEM encoded)
StartCom Root CA (DER encoded)
Server Certificate Bundle with CRLs (PEM encoded)
Class 1 Intermediate Server CA
Class 2 Intermediate Server CA
Class 3 Intermediate Server CA
Extended Validation Server CA
Class 1 Intermediate Client CA
Class 2 Intermediate Client CA
Class 3 Intermediate Client CA
Class 2 Code Signing CA
Class 3 Code Signing CA
i am assuming you downloaded one of these and entered it into the FAR-RIGHT tab “Ca Certificate”?
PaliGap - if i followed every step, then life would be boring.
which of these options did you install?
StartCom Root CA (PEM encoded)
StartCom Root CA (DER encoded)
Server Certificate Bundle with CRLs (PEM encoded)
Class 1 Intermediate Server CA
Class 2 Intermediate Server CA
Class 3 Intermediate Server CA
Extended Validation Server CA
Class 1 Intermediate Client CA
Class 2 Intermediate Client CA
Class 3 Intermediate Client CA
Class 2 Code Signing CA
Class 3 Code Signing CA
UPDATE: i installed “Server Certificate Bundle with CRLs (PEM encoded)” and now i get this message from StartSSL:
Assessment failed: No secure protocols supported
That’s the bad news: the good news is that moz-firefox quit complaining, so i am taking a victory lap. Either way, PaliGap will be getting nominated for sainthood.
In Apache I have this:
SSLCertificateFile /home/mydomain.com/ssl.cert
SSLCertificateKeyFile /home/mydomain.com/ssl.key
SSLCACertificateFile /home/mydomain.com/ssl.ca