FIXED - Re: Broken SSL cert caused by router?

John Levine johnl at iecc.com
Mon Mar 30 03:56:05 UTC 2015


>SSLCertificateChainFile /etc/ssl/certs/gd_bundle-g2-g1.crt
>
>I have actually fixed it.

Yeah, that's always it.

Back in the good aulde days all of the SSL certs one might buy were
signed directly by the CA, but now more often than not there are
intermediate certs, and a valid cert needs to be accompanied by all of
the intermediate certs between it and the CA.

What makes debugging hard is that browsers try to be helpful.  If a
server doesn't provide the intermediate certs, but the browser happens
to have them in its cache from some other site, well, close enough and
the SSL works.  But if some other browser doesn't happen to have them,
you lose.

So if your SSL is flaky, check those intermediate certs first.

R's,
John


More information about the NANOG mailing list