Friday, April 17, 2015

Tackling missing SSL intermediate keychain certificate issue on Apache

One of my clients has been complaining about an error message like the one below when they visit some secured web sites via HTTPS protocol on the browser, particular Mozilla Firefox.

The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)

Firefox is well-known open source web browser which has been sticking with W3C standard. For HTTPS tunnel initialisation, Firefox checks through public certificates down to root certificate in order to tell the user whether the connection is completely secured. Among those certificates, the intermediate keychain certificate was ignored in the past by the web browsers. It's not hard to imagine some browser may even automatically try to search and put back this missing piece into the keychain store.

Somehow, it might be difficult to draw a fine line between the responsibility of browser's developer and website administrator. However, there is still something Web Administrator can do to resolve this.

Assuming you are hosting Apache webserver for the target website, try the following URL to check whether there is any problem with the SSL certificates installed on the target website:

https://www.sslshopper.com/ssl-checker.html

Once an error of missing intermediate keychain certificate is found, it's time to proceed to next step for checking which intermediate certificate to install on webserver.

Visit the target website and click on the lock icon to get more information about the SSL certificate already installed. From the certificate information, check the name of issuing authority in order to identify which SSL provider and package you are using.

Go to the website of SSL provider and find relevant intermediate keychain certificate which is supposed to be opened to the public for downloading.

The file content should be something like this:

-----BEGIN CERTIFICATE-----
ENCRYPTED TEXT...
-----END CERTIFICATE-----

Once you've got the intermediate keychain certificate, you can reconfigure Apache to use it to complete the keychain for HTTPS validation.

On hosting server, find Apache SSL configuration file like httpd-ssl.conf and add a line (in red) to specific the intermediate keychain certificate for use:

SSLEngine On
SSLCertificateFile /TargetPath/somedomain.crt
SSLCertificateKeyFile /TargetPath/somedomain.key
SSLCertificateChainFile /TargetPath/intermediates_keychain_cert.crt

When finished, please restart Apache server and then test the secured URL (https://...) of target website with Firefox again. If all certificate and key files are in place on webserver, the error message should go away.








No comments:

Post a Comment