Re: StartSSL (not self-signed) cert but says "The certificate is not trusted because it is self-signed"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06.04.2015 19:24, Victor Porton wrote:
> I've tried to set SSL for one site at my Debian Linux wheezy server
> (which serves multiple domains).
> 
> I've prepared StartSSL keys and certificate and put them into
> /etc/apache2/ssl/

How did you prepare those?
Did you follow the StartSSL steps on the website wizard and obtained
both of these files through downloading from their website?


> But when I started the below configuration (with Debian command
> `a2ensite withoutvowels.conf`), after I opened
> https://withoutvowels.org/wiki/Without_Vowels_project I've got
> 
> [[[[
> This Connection is Untrusted
> 
> You have asked Iceweasel to connect securely to withoutvowels.org, but
> we can't confirm that your connection is secure.
> 
> Normally, when you try to connect securely, sites will present trusted
> identification to prove that you are going to the right place. However,
> this site's identity can't be verified.
> What Should I Do?
> 
> If you usually connect to this site without problems, this error could
> mean that someone is trying to impersonate the site, and you shouldn't
> continue.
> 
> withoutvowels.org uses an invalid security certificate. The certificate
> is not trusted because it is self-signed. The certificate is only valid
> for d1stkfactory (Error code: sec_error_unknown_issuer)
> ]]]]

That "d1stkfactory" in there is interesting.

Are you hosted at DigitalOcean?  I found this using Google:

http://blog.vucica.net/2014/03/mails-appearing-from-d1stkfactory.html

My guess right now is that you made the certificate on a machine of
yours rather than downling a cert from StartSSL.  Did you use a
certificate signing request to get your existing cert signed?


> After this error I've stopped to use the below configuration and
> replaced it with my old (non-SSL) configuration.
> 
> The config /etc/apache2/sites-available/withoutvowels.conf for the site
> is below:
> 
> <VirtualHost *:443>
>         ServerName withoutvowels.org
> 
>         SuexecUserGroup withoutvowels withoutvowels
> 
>         ServerAdmin webmaster@localhost
> 
>         SSLEngine on
>         SSLProtocol all -SSLv2
>         SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
>         SSLCertificateFile /etc/apache2/ssl/ssl.crt
>         SSLCertificateKeyFile /etc/apache2/ssl/private.key
>         SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem

This looks alot like
https://www.startssl.com/?app=21

Please consider disabling SSLv3 as well, because:
https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

Having SSLv3 enabled will also not look good on the ssllabs test page, e.g.
https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=74.125.224.8

Best,



Sebastian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux