I recently installed different StartSSL certificates on each of my virtual servers under Virtualmin Pro. All is good except for Firefox users. They receive the following warning:
The certificate is not trusted because no issuer chain was provided.
How can I overcome this without changing CAs?
DS @ BCEnclave
It sounds like Firefox doesn’t trust that particular CA.
The typical way to handle that is to install a CA certificate, which establishes a chain of trust.
That CA certificate is usually available from your CA, and can be installed in Virtualmin using Manage SSL Certificates -> CA Certificate.
Thanks. That sounds right to me.
I have two files named ca.pem and sub.class1.server.ca.pem from StartSSL. Are these what I import into Manage SSL Certificates -> CA Certificate?
DS @ BCEnclave
This is the “same” issue that I reported a while ago (https://www.virtualmin.com/node/22492 only eric will be able to view it)
Startssl recommends the following configuration (I shortened it here a bit):
SSLCertificateFile ... ssl.crt
SSLCertificateKeyFile ... ssl.key
SSLCertificateChainFile ... sub.class1.server.ca.pem
SSLCACertificateFile ... ca.pem
The problem is that virtualmin can not handle the very common Apache directive SSLCertificateChainFile, which basically means that you have to merge the two pem file etc. But if you are “new” to SSL this conclusion would not be obvious at all If you are familar with the process, you would just add the above lines manually anyway (instead of merging - which is not good anyway, because if something doesn’t work, you have to look at all files to see whether you forgot to merge a cert etc).
Why post a link only one person can see? That doesn’t help me because I can’t see the discussion.
Also - when I trunk all my pem’s into one pem, I upload the file and save the cert, it chugs, says it’s done then I go back into the page and it still says:
Certificate authority name AddTrust External CA Root
Organization AddTrust AB
Issuer name AddTrust External CA Root
Issuer organization AddTrust AB
Expiry date May 30 10:48:38 2020 GMT
Certificate type Self-signed
I suspect it’s failing and this is my problem, I can’t get the network solutions ca chain in the virtualmin ca area.
Any guidance on this? I’m surprised the forums aren’t blowing up with this issue but then that might also mean nobody is using ssl on the servers they’re hosting sites on
I use StartSSL on my servers. I added the “StartCom Class 1 Primary Intermediate Server CA” to the CA certificates section, I have seen no problems with certificates on IE, Chrome, or Firefox.