FIXED - Re: Broken SSL cert caused by router?

Michael Brown michael at supermathie.net
Mon Mar 30 03:55:50 UTC 2015


That's something I suspected at first, it but discounted when your said your laptop also failed at the site.

The first intermediate you installed ‎took care of anything with the newer root certificates installed.

But for your older 10.4 Mac clients (which presumably haven't had a root certificate bundle update in a while) that wasn't enough - the new root needed to be provided since from their perspective it's an intermediate.

M.

  Original Message  
From: Mike
Sent: Sunday, March 29, 2015 23:29
To: nanog at nanog.org
Subject: Re: FIXED - Re: Broken SSL cert caused by router?

On 03/28/2015 01:50 PM, Matt Palmer wrote:
> On Sat, Mar 28, 2015 at 09:05:38AM -0700, Mike wrote:
>> On 03/27/2015 10:34 AM, Frank Bulk wrote:
>>> Glad you figured that out.
>>>
>>> I've used three SSL evaluation websites to help me with intermediate certificate issues:
>>> https://www.ssllabs.com/ssltest/analyze.html (will show the names and details of the certs, missing or not
>>> https://www.wormly.com/test_ssl (quick SSL tester, will point out if intermediate certificate is missing)
>>> https://www.digicert.com/help/ (will show a green chain link between certs when they're all there *and* in order)
>> I went back to Frank's list and did some additional testing. I have a
>> different server which was set up the same way as the previous one
>> discussed, and I thought I would use the above tools and see if my problem
>> would have been identified by any of them. I am sorry to report, no, none of
>> these either caught the problem either.
> Are you able to share the URL of the misconfigured site? It would be
> interesting to examine exactly what's going on.
>
> - Matt
>
SSLCertificateChainFile /etc/ssl/certs/gd_bundle-g2-g1.crt

I have actually fixed it.

What was going on seems to be this -

I have a new godaddy certificate for *.mydomain.com, and that is what I 
installed. However, the certificate chain I supplied was missing some 
intermediate godaddy certificate. Originally, it appeared I was missing 
'gdig2.crt', and once installed, that fixed some clients including the 
ones behind the meraki router. But then there were also some older 
clients this did not fix (a macos 10.4 something for example). So I went 
back and installed gd_bundle-g2-g1.crt in it's place, and that seems to 
have finally done it.

I apologize for the diminishing lack of operational content. It just 
seems that these ssl tests should be tightened up and perhaps some 
additional tools deployed out there to help us less knowledgeable folks 
'get it right'.


Mike-



More information about the NANOG mailing list