"Unable to locally verify the issuer's authority" for GeoTrust SSL CA

ssl openssl

Solution 1:

The server is not configured properly — it does not send the required intermediate certificate. Note that there is only one certificate in the certificate chain:

---
Certificate chain
 0 s:/serialNumber=8z3ZNMMt8GMi9Qumrn0xficRkxAYJZQq/C=AU/ST=New South Wales/L=North Sydney/O=SERCO GROUP PTY LIMITED/CN=*.131500.com.au
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
---

There should be a second certificate after this with the subject s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA.

In Apache intermediate certificates are configured using the SSLCertificateChainFile option.

As for why this site seems to work for you in Chrome, there are several possible explanations:

  1. Different browsers may use separate certificate stores, and your Chrome may have the GeoTrust SSL CA certificate trusted directly (however, this is unlikely to be the case if the CA intended to use that certificate as intermediate).

  2. Browsers often cache intermediate certificates in their certificate stores, therefore if you previously had visited another site which had the GeoTrust SSL CA intermediate certificate properly configured, you may then be able to access a site which uses the same intermediate certificate, but does not properly send it to clients, without security warnings, because the browser can get the required intermediate certificate from its cache and is able to verify the certificate chain.

  3. The end entity certificate in question contains an HTTP URL which could be used to fetch the intermediate certificate:

        Authority Information Access: 
        OCSP - URI:http://gtssl-ocsp.geotrust.com
        CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt

    (the CA Issuers link here points to the issuer certificate in the DER format). Some systems may be able to use such links to fetch the intermediate certificate even if it is not returned by the server. According to the Mozilla Bug 399324, Firefox (and other software based on Mozilla) is not currently able to follow such AIA links; however, Internet Explorer is able to use them.

Solution 2:

openssl cannot find the intermediate certificate(s). The fact that whynopadlock.com cannot either suggests they were not installed in the first place, and it works in (some) browsers because they already have the intermediate certificates. The site owner needs to install the intermediate certificates, which can be downloaded from the geotrust.com. Instructions for installation can also be found there.

If it sometimes works and sometimes fails, then the site owner has forgotten to install the intermediate certificates on all servers (or load balancers).

Related

Nginx fastcgi_cache_valid vs fastcgi_cache_path's inactive
Samba: read-only LDAP + additional local users
Unable to Create System DSN
Cannot connect after iptables -F
Virtual vs. Named SQL Instances
Running PowerShell scripts as an Application in MDT 2013
Updating ILO on HP DL380 G7 fails due to firmware version gap
How do I bypass my VPN when making requests to IPs in my local network?
Can internet gateways be plugged straight into a layer 2 switch?
how to configuration dkim on exchange email server
IPTables: allow outgoing SSH
What causes winsock 10055 errors? How should I troubleshoot?