Wildcard SSL behaves inconsistently across browsers / OS's / computers

security https ssl ssl-certificate

I've got a wildcard SSL certificate installed on a domain hosted with Media Temples Dedicated Virtual 4.0. Here's a simple example page that I'm trying to serve over SSL: https://ssltest.bblhosted.com/

Now, other people I've asked (about 4 or 5) say the site works fine on their computers, in a variety of browsers, with no security warning. However, I'm getting inconsistent results on my computer.

Here are my results. I'm running the latest OSX, with Windows 7 running through Parallels, and the latest versions of all browsers:

OSX / Firefox: Padlock shows, no problems. Windows 7 / Firefox: Warning - 'This connection is untrusted'

OSX / Chrome: Warning - 'This site's security is not trusted!' Windows 7 / Chrome: Green Padlock - 'Identity verified by RappidSSL CA'.

OSX / Opera: Warning - 'This server's certificate chain is incomplete, and the signer(s) are not registered. Accept?' Windows 7 / Opera: Padlock shows, 'securely connected, clean security record'.

OSX / Safari: Warning - 'Safari can't verify the identity of the website'

Windows 7 / IE: Padlock shows, 'This connection to the server is encrypted'.

My question is, can anyone provide any insight into what might be causing the issue here, or how to go about fixing it? Could it be just a problem on my computer, and if so, what? What's particularly strange is that I get opposite results on OSX vs. Windows 7, for the same browsers.

Even if you can just comment what browser / OS you're using, and whether or not it worked for you, that'd be great! Thanks.

_______ UPDATE:

The initial email from Rapid SSL gave me one Certificate and one CA certificate. I've updated it to include the two CA certificates here, that Christopher Perrin linked to.

I've tested ssltest.bblhosted.com with Rapid SSL's tool and it says everything is set up correctly (although that tool gave a success before I changed the CA certificate, too).

This tool gives an error - and says it's most likely an intermediate certificate issue.

I'm updating the certificate through Plesk, and I do get the warning "Warning: the CA certificate does not sign the certificate.", though according to this, you can generally ignore that warning.

SSL works fine for https://www.bblhosted.com/, https://bblhosted.com/ and https://anythinggoeshere.bblhosted.com/ - it only doesn't work for subdomains which have been explicitly set up.

in var/log/httpd/error_log, I have a bunch of errors like: "RSA server certificate wildcard CommonName (CN) `*.bblhosted.com' does NOT match server name!?"

and in ssl_error_log, I have a bunch of errors like: "[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)"

I'm not experienced enough to know what they mean. I'll continue the battle tomorrow!


It is possible that your certificate chain is not complete. You might need to add the RapidSSL CA Bundle. to your certificate.

In Apache you have the option SSLCertificateChainFile. Set this to the path where you saved the RapidSSL CA Bundle.

Another option is to add the chain certificates to your own by appending them to your certificate like this

cat mycert.pem RapidSSL_CA_bundle.pem >> mychainedcert.pem

This should solve the problem.

Explanation

You obviously bought your certificate at RapidSSL. RapidSSL though is not one of the CAs that your browsers trust. This is no problem because your browser trusts GeoTrust and GeoTrust trusts RapidSSL. You just have to show the browser the certificate that proves this. That is why you need to include the chain file.


OK so Christopher Perrin put me on the right track with SSLCertificateChainFile - thanks. Here are the specifics, in case they help someone else. I'm using Plesk 11, and obviously the paths I refer to will be different for others.

When I create the subdomain ssltest.bblhosted.com, Plesk creates a file at /var/www/vhosts/ssltest.bblhosted.com/conf/13558069200.18494000_httpd.include (or similar). This file effectively serves the purpose of a vhost.conf file (or vhost_ssl.conf), except that it's automatically generated by plesk, and will be automatically overriden each time you change settings through Plesk.

The file contains the line:

SSLCertificateFile /usr/local/psa/var/certificates/cert-Eq8jue

which shows where to find my SSL certificate. What it doesn't contain is a line indicating where to find the CA certificate. So it should contain the line: 

SSLCertificateChainFile /usr/local/psa/var/certificates/cert-t8ReAO

(Obviously the path should point to your own CA Certificate). As far as I can tell, the fact that this line is not included is a bug in Plesk. You could add the line to that file, directly below the SSLCertificateFile line, and then restart Apache, and it would work - HOWEVER, if you do that, the file will get overriden next time you change the settings for that domain in Plesk, and you'll lose your changes. At the top of the file, Plesk gives this warning:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
#
#IF YOU REQUIRE TO APPLY CUSTOM MODIFICATIONS, PERFORM THEM IN THE  FOLLOWING FILES:

#/var/www/vhosts/ssltest.bblhosted.com/conf/vhost.conf
#/var/www/vhosts/ssltest.bblhosted.com/conf/vhost_ssl.conf

So, I created /var/www/vhosts/ssltest.bblhosted.com/conf/vhost_ssl.conf and added the single line to it:

SSLCertificateChainFile /usr/local/psa/var/certificates/cert-t8ReAO

You don't need to add anything else but that single line. From what I know, all other settings will still get taken from the default httpd.include file generated by Plesk.

Now, you have to tell Plesk to look for the vhost_ssl.conf file, because it won't by default - even though you've created it! Do this by logging in via SSH and executing this command:

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

That will tell Plesk to look for vhost.conf (and vhost_ssl.conf) for all domains. You can also do it for just a single domain if need be.

Last, restart Apache, and the SSL works!

Note that if you add another subdomain, you need to go through the whole process again, including executing the terminal command to make Plesk look for vhost.conf and vhost_ssl.conf for your new domain or subdomain.

Related

On the go - can it refer to something being consumed?
Difference in meaning between gerund and infinitive [duplicate]
Should we superscript ordinal numbers? [closed]
Can I juxtapose two clauses that share one object?
Is "we will connect to you" grammatically correct? [closed]
When does a fused-head NP require a definite determiner?
Is it correct to say "oxygen masks were donned on passengers"? [closed]
Given an RGB value what would be the best way to find the closest match in the database?
What is the plural for timeout?
How to form sentences starting with "it"
Difference between "Need assistance?" and "Need an assistance"? [closed]
situation where parties do their own thing