How to fix "Could not verify this certificate for
unknown reasons" SSL certificate lighttpd troubles
I've been issuing new wildcard multiple SSL certificate to renew an
expiring ones. After I completed the new certificate setup manually
on the server
(a CentOS 5.5 Final running SoluSVM Pro - Virtual
Private Manager), I launched Firefox to give a try if the
certificate is properly configured.
Instead of my expectations that the browser would just accept the
certificate without spitting any error messages and all will be
fine, insetad I got error with the just installed certificate and
thus the browser failed to report the SSL cert is properly
authenticated.
The company used to issue the SSL certificate is
GlobeSSL -
http://globessl.com , it was quite "hassle", with the tech
support as the first certficate generated by globessl was
generation based on SSL key file with 4096 key encryption.
As the
first issued Authenticated certificate generated by
GlobeSSL was not good further on about a week time was
necessery to complete the required certificate reissuing ....
It wasn't just GlobeSSL's failure, as there were some spam filters
on my side that was preventing some of GlobeSSL emails to enter
normally, however what was partially their fault as they haven't
made their notification and confirmation emails to pass by a
mid-level strong anti-spam filter...
Anyways my overall experience with GlobeSSL certificate reissue and
especially their technical support is terrible.
To make a parallel, issuing certificates with GoDaddy is a way more
easier and straight forward.
Now let me come back to the main certificate error I got in Firefox
...
A bit of further investigation with the cert failure, has led me to
the error message which tracked back to the newly installed SSL
certificate issues.
In order to find the exact cause of the SSL certificate failure in
Firefox I followed to the menus:
Tools -> Page Info -> Security -> View
Certificate
Doing so in the
General browser tab, there was the following
error:
Could not verify this certificate for unknown
reasons
The information on
Could not verify this certificate for unknown
reasons on the internet was very mixed and many people online
suggested many possible causes of the issue, so I was about to
loose myself.
Everything with the certificate seemed to be configured just fine
in lighttpd, all the GlobeSSL issued
.cer and
.key
file as well as the
ca bundle were configured to be read
used in lighttpd in it's configuration file:
/etc/lighttpd/lighttpd.conf
Here is a section taken from
lighttpd.conf file which did
the SSL certificate cert and key file configuration:
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/wildcard.mydomain.bundle"
}
The file
/etc/lighttpd/ssl/wildcard.mydomain.bundle was
containing the content of both the .key (generated on my server
with openssl) and the .cer file (issued by GlobeSSL) as well as the
CA bundle (by GlobeSSL).
Even though all seemed to be configured well the SSL error
Could
not verify this certificate for unknown reasons was still
present in the browser.
GlobeSSL tech support suggested that I try their
Web key matcher
interface -
https://confirm.globessl.com/key-matcher.html to verify that
everything is fine with my certificate and the cert key. Thanks to
this interface I figured out all seemed to be fine with the
certificate and something else should be causing the SSL
oddities.
I was further referred by GlobeSSL tech support for another web
interface to debug errors with newly installed SSL
certificates.
These interface is called
Verify and
Validate Installed SSL Certificate and is found here
Even though this SSL domain installation error report and debug
tool did some helpful suggestions, it wasn't it that helped me
solve the issues.
What helped was First the suggestion made by one of the many tech
support guy in GlobeSSL who suggested something is wrong with the
CA Bundle and on a first place the documentation on
SolusVM's wiki -
http://wiki.solusvm.com/index.php/Installing_an_SSL_Certificate
.
Cccording to SolusVM's documentation
lighttpd.conf's file
had to have one extra line pointing to a seperate file containing
the issued
CA bundle (which is a combined version of the issued
SSL authority company SSL key and certificate).
The line I was missing in lighttpd.conf (described in dox), looked
like so:
ssl.ca-file = "/usr/local/solusvm/ssl/gd_bundle.crt"
Thus to include the directive I changed my previous
lighttpd.conf to look like so:
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/wildcard.mydomain.bundle"
ssl.ca-file = "/etc/lighttpd/ssl/server.bundle.crt"
}
Where
server.bundle.crt contains an exact paste from the
certificate (CA Bundle) mailed by GlobeSSL.
There was a couple of other ports on which an SSL was configured so
I had to include these configuration directive everywhere in my
conf I had anything related to SSL.
Finally to make the new settings take place I did a
lighttpd
server restart.
[root@centos ssl]# /etc/init.d/lighttpd restart
Stopping lighttpd: [ OK ]
Starting lighttpd: [ OK ]
After lighttpd reinitiated the error was gone! Cheers !