ssl weirdness on comodo certs

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,113
Location
California
One of my clients, running RHEL 3, has installed a cert in the user section of the admin login, to be used as a shared cert.

He's installed the CA chain cert as well.

Now here's the weirdness:

On my Windows 2000 system, using IE 5.5, the cert appears as good; and the Certification Path shows the GTE Cyber Trust Root.

On the same system, using NS 7.1, the cert appears as good, and the Details shows the GTE Cyber Trust Root.

But on my RHL 9 Linux desktop system, using Mozilla 1.2.1, and Konkueror 3.1-12, the cert doesn't appear as good, and the details show no root certificate.

The client, using Windows and IE 6 also shows the cert as NOT good, and with no root certificate.

The address of the site is:

https://www.fdserve.com/

Will you please try it for me and tell me if the cert appeared as good, or if you get an error telling you it's from an untrusted certification authority.

I'll appreciate a bunch of tests so we can get an idea of what to say when we talk with Comodo Monday morning.

EDIT:
Edited 12:54 am Sunday Morning, July 4, 2004:

I've done a bit more testing and I found an interesting anomaly.

Server-wide certs installed with DA under the admin user panel end up in different locations:

The cert ends up in the /etc/httpd/conf/ssl.cert directory.

The private key ends up in the /etc/httpd/conf/ssl.key directory.

And the CACert ends up in the /usr/local/directadmin/data/users/admin/domains directory.

The ones in the /etc/httpd/conf.ssl.key and /etc/httpd/conf/ssl.crt directories are owned by root:root, and the permissions are rw for root, and no permissions for any other users.

The ones in the /usr/local/directadmin/data/users/admin/domains directory are owned by directadmin:directadmin and the permissions are rw for directadmin and no permissions for any other users.

I'm guessing this works because https connections are always handled by the main httpd daemon, which is run as root.

But it's a bit weird.

Any ideas, anyone?
END-EDIT

Thanks!

Jeff
 
Last edited:
Thanks, folks.

Please, others reading the thread, if you'd try and let me know, it'll give me a bit more information I can use in troubleshooting this.

I'm especially curious about others using NS 7.x or IE 5.5 on any flavor of Windows, since that seems to work for me.

(The Windows 2k box is the only Windows box I've got for testing.)

Jeff
 
Hey,

I did our certs manually...

Here's the lines we have in the directadmin.conf file:

(The names were changed to protect the innocent.)

cacert=/usr/local/directadmin/conf/our_server.crt
cakey=/usr/local/directadmin/conf/our_private.key
carootcert=/usr/local/directadmin/conf/CA.crt

I'd have to search the forum but, if I remember right (whoa) DA had to be able to read ALL those files... I'm not real sure... I've got them as diradmin:diradmin.

BTW: On our login/cert I see both certs. The Comodo is in the middle and the GTE is at the top.

David
 
Thanks, skruf.

What do you mean by:
skruf said:
BTW: On our login/cert I see both certs. The Comodo is in the middle and the GTE is at the top.
Where do you see them?

When you do what?

Thanks.

Jeff
 
Hi Jeff,

All tests on winXP
with IE6 'trusted'
with Mozilla 1.7 'Unable to verify the id...'
with Mozilla Firebird/0.6.1 'Unable to verify the id...'

Hope this help,
ramon
 
Hey Jeff,

When I view the details I see both certs... (On our site)

I noticed you saw the GTE and wondered if you saw both (that's why I posted I saw both)... If not then, perhaps you're seeing the CA cert because it is where DA can read it...

David
 
Sounds like possibly mozilla doesnt have that in its list of trusted certificates.

... And im fairly certain the chained comodo certs are limited to browsers (also, ev1 have a note on their chained certs stating "compatable with ns and ie" (last time i checked))

Chris
 
Good call, Chris.

But I've got lots of Comodo certs working with the CACert properly installed. And they all work ubiquitously on all the servers (including lots on DA servers) and all the browsers (including the same ones that can't find these in question) I've ever tested them on.

If you're saying don't use Comodo certs, I have to disagree with you; Comodo certs work fine on all the browsers I've tested them on and on all the servers I've ever tested them on.

In fact, when I set up a copy of one of my domains on this server in question, and copied in my Comodo cert for that domain, and used the same CACert that wasn't being properly used as a shared cert, and set my hosts file to look at the client's machine instead of mine, the Comodo cert worked fine.

Though I'm not sure, it appears to have something to do with the fact that it's a shared cert.

Jeff
 
Hey Jeff,

I'm curious to know what the directadmin.conf looks like... (the cert location part)

I experimented with my conf and unless I had all three files (CA, server.crt and the private.key) where DA could read them it wouldn't work.

I placed those files in the locations you mentioned above and nada... (Changed the directadmin.conf as well and permissions were OK).

Heck, the login screen wouldn't even pull up... restarting DA failed on the stop but OK'd on start... also weird... But, I'm guessing that's because it couldn't read the cert files.

Anyway... just curious.

Thanks, David
 
jlasman said:
If you're saying don't use Comodo certs, I have to disagree with you; Comodo certs work fine on all the browsers I've tested them on and on all the servers I've ever tested them on.

Not saying not to use them - but its surely a possibility that when only mozilla * browsers having the problems, t could possibly be an incompatibility or a different root certificate that is not covered by mozilla.

If you look at the following:

(chainedSSL)
http://www.ev1servers.net/english/chainedssldetails.asp

and compare with:

(GeoTrust quickssl)
http://www.ev1servers.net/english/quickssldetails.asp

You will probably notice, ChainedSSL page specifically says "compatible with the following popular browsers: ie 5.0+ / netscape 7"

If you look at geotrust, there is no mention of its compatability with any specific software...

If they have actually worked previously, that puts the suggestion out of the way. Im unsure of exactly what else it could be, if could be a problem with the cert, or it could be a problem with the specific browsers. If there was a problem with the way it was setup, I would guess it would affect all browsers?

Chris
 
Hello,

Just as a note, when an Admin is adding SSL certificates, it will save the server shared certificates, I think we all know that. But it will not make any changes to the main /etc/httpd/conf/httpd.conf that uses them. This said, if you are trying to install a CA Root certificate, you'll have to manually add SSLCARootCertificateFile to the ssl (443) virtualhost near the bottom of your /etc/httpd/conf/httpd.conf file.

John
 
Hey,

This may or may not be helpful/useful but...

Comodo sent us two certs aside from our server cert...

One is the GTECyberTrustRoot.crt and the other is the ComodoSecurityServicesCA.crt...

We used the ComodoSecurityServicesCA.crt as the CA root cert...

That's the one we reference in the DA config file and (like John said, and I forgot about) in the httpd.conf file.

And, we did install ours manually... reason being, for those interested, admin doesn't have any domains.

David
 
ProWebUK said:
Not saying not to use them - but its surely a possibility that when only mozilla * browsers having the problems, t could possibly be an incompatibility or a different root certificate that is not covered by mozilla.
If you read my first post carefully you'll see that I have lots of Comodo certs set up with the same CACert, and they all work.

And that my client (and so far everyone who's answered the thread) has also had a problem with the Cert with IE.

I just got back in and I'm going to try some of these ideas.

Jeff
 
Problem Solved

The problem has been solved.

Thanks to everyone who's helped.

Especially to John, who pointed out necessary changes to /etc/httpd/conf/httpd.conf (which I've changed slightly) and also to David (skruf) who reminded me of the changes we had to make so the directadmin control panel could use the cert as well.

I've written a How-To, which I've posted in the How-To forum; it can be found here. It's only tested on RHEL 3, but I've tried to make the instructions as generic as possible so it will work for all operating systems on which DA runs. I've tested the How-To, installing on a second machine following the instructions to the letter, and it appears to be good. If you have problems with it, please let me know in that thread.

Thanks.

Jeff
 
Back
Top