Re: StartSSL (not self-signed) cert but says "The certificate is not trusted because it is self-signed"

[Victor Porton <porton@xxxxxxxx>]

On Mon, 2015-04-06 at 20:31 +0200, Sebastian Pipping wrote:
> On 06.04.2015 19:24, Victor Porton wrote:
> > I've tried to set SSL for one site at my Debian Linux wheezy server
> > (which serves multiple domains).
> > 
> > I've prepared StartSSL keys and certificate and put them into
> > /etc/apache2/ssl/
>
> How did you prepare those?
> Did you follow the StartSSL steps on the website wizard and obtained
> both of these files through downloading from their website?
I've obtained both the certificate and the key (which I have deciphered on my machine) from StartSSL.

I have copy&pasted them from their site's control panel (if it is called control panel).

> > But when I started the below configuration (with Debian command
> > `a2ensite withoutvowels.conf`), after I opened
> > https://withoutvowels.org/wiki/Without_Vowels_project I've got
> > 
> > [[[[
> > This Connection is Untrusted
> > 
> > You have asked Iceweasel to connect securely to withoutvowels.org, but
> > we can't confirm that your connection is secure.
> > 
> > Normally, when you try to connect securely, sites will present trusted
> > identification to prove that you are going to the right place. However,
> > this site's identity can't be verified.
> > What Should I Do?
> > 
> > If you usually connect to this site without problems, this error could
> > mean that someone is trying to impersonate the site, and you shouldn't
> > continue.
> > 
> > withoutvowels.org uses an invalid security certificate. The certificate
> > is not trusted because it is self-signed. The certificate is only valid
> > for d1stkfactory (Error code: sec_error_unknown_issuer)
> > ]]]]
>
> That "d1stkfactory" in there is interesting.
>
> Are you hosted at DigitalOcean?  I found this using Google:
>
> http://blog.vucica.net/2014/03/mails-appearing-from-d1stkfactory.html
Yes, I am hosted at Digital Ocean.

I've verified my cert for a domain (withoutvowels.org) not for an IP. So I wonder where "d1stkfactory" got from.

> My guess right now is that you made the certificate on a machine of
> yours rather than downling a cert from StartSSL.  Did you use a
> certificate signing request to get your existing cert signed?
I didn’t made the certificate on my machine. The only things I did on my machine was:

1. I've deciphered the private key.

2. I've renamed the file from ssl.key into private.key.
> > After this error I've stopped to use the below configuration and
> > replaced it with my old (non-SSL) configuration.
> > 
> > The config /etc/apache2/sites-available/withoutvowels.conf for the site
> > is below:
> > 
> > <VirtualHost *:443>
> >         ServerName withoutvowels.org
> > 
> >         SuexecUserGroup withoutvowels withoutvowels
> > 
> >         ServerAdmin webmaster@localhost
> > 
> >         SSLEngine on
> >         SSLProtocol all -SSLv2
> >         SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
> >         SSLCertificateFile /etc/apache2/ssl/ssl.crt
> >         SSLCertificateKeyFile /etc/apache2/ssl/private.key
> >         SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
>
> This looks alot like
> https://www.startssl.com/?app=21
>
> Please consider disabling SSLv3 as well, because:
> https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
Please explain how to disable SSLv3 in Apache.
> Having SSLv3 enabled will also not look good on the ssllabs test page, e.g.
> https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=74.125.224.8
>
> Best,
>
>
>
> Sebastian

I've also reported the bug to StartSSL:
https://bugzilla.startcom.org/show_bug.cgi?id=363

-- 
Victor Porton - http://portonvictor.org