Soggiorno Soggiorno - 1 month ago 14
Android Question

StartSSL certificate not trusted in Firefox and on Android

Apache server, followed the guide from here: https://www.startssl.com/Support?v=21

httpd.conf:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile "/usr/local/apache2/conf/domain.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/private.key"
SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"


Works fine in Chrome but Firefox yields the following error:

Error code: SEC_ERROR_UNKNOWN_ISSUER


Analysis at https://www.sslshopper.com/ssl-checker.html says the following:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following StartCom's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.

How can I make the chain valid?

Answer
SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"   

... You may need to install an Intermediate/chain certificate to link it to a trusted root certificate

The SSLCertificateChainFile option was obsoleted in Apache version 2.4.8 and any chain certificates need to be added to SSLCertificateFile instead. Since you are using 2.4.23 based on your comment this means that this setting was ignored. This means that no chain certificates were sent to the client, causing the validation error. You should have gotten a message in the error logs though pointing out the invalid setting.