Is this SSL certificate chain broken and how to fix it?

certificate https ssl ssl-certificate certificate-authority

For the SSL cert on the domain example.com, some tests tell me that the chain is incomplete and since Firefox keeps its own certificate store, it might fail on Mozilla (1, 2, 3). Others tell me it is fine, as does Firefox 36, which tells me that the cert chain is fine.

UPDATE: I tested on Opera, Safari, Chrome and IE on both Windows XP and MacOS X Snow Leopard, they all work fine. It only fails on Firefox < 36 on both OSes. I dont have access to test on Linux, but for this website it is less than 1% of visitors, and most are probably bots. So, this answers the original questions "does this setup bring up warnings in Mozilla Firefox or not" and "Is this SSL certificate chain broken or not?".

Therefore, the question is how do I find out which certs do I need to place in the ssl.ca file so they can be served by Apache to keep Firefox < 36 from choking?

PS: As a side note, the Firefox 36 I used to test the cert was a brand new install. There is no chance it didn't complain because it had downloaded an intermediate cert during a previous visit to a site that uses the same chain.


If the chain is sufficient depends on the CA store of the client. It looks like Firefox and Google Chrome have included the certificate for "COMODO RSA Certification Authority" end of 2014. For Internet Explorer it probably depends on the underlying OS. The CA might not yet be included in trust stores used by non-browsers, i.e. crawlers, mobile applications etc.

In any case the chain is not fully correct, as can be seen from the SSLLabs report:

  • One trust path needs that the new CA is trusted by the browser. In this case you still ship the new CA which is wrong, because trusted CAs must be built-in and not contained in the chain.
  • The other trust path is incomplete, i.e. it needs an extra download. Some browsers like Google Chrome do this download, while others browsers and non-browsers expect all necessary certificates to be contained inside the shipped chain. Thus most browsers and applications which do not have the new CA built-in will fail with this site.

I contacted Comodo and downloaded a bundle.crt file from them. I renamed it to ssl.ca, as per this server's setup, and now the cert passes all tests. The Chain issues = Contains anchor notice isn't a problem (see below).

SSL Labs, widely regarded as the most complete test, now shows Chain issues = Contains anchor, whereas before it used to show Chain issues = None (while the others showed a problem with the chain). This is really a non-issue (1, 2), aside from an extra 1kB the server sends to the client.

My conclusion

  1. Ignore the SSL Labs test where it says Chain issues = Contains anchor OR remove the root cert from the bundle file (see this comment below).

  2. Always run a secondary test on at least one of the other three test sites (1, 2, 3) to ensure your chain is really okay when SSL Labs says Chain issues = None.

Related

Can I use nginx environment variables within static files that nginx serves?
Systemd timer not starting its service unit
What happens to code sign certificates when when root CA expires?
SSH logs i dont understand: maximum authentication attempts exceeded
netstat tips and tricks
Scrollback not working in terminal window (ssh session)
TortoiseSVN missing file in update
Will Active Directory Allow You to Add Two Computers of the Same Name?
Which AD permission is required to allow impersonation of an account?
Backing up qcow2 kvm guests
How to determine disc spindown time
FTP doesn't allow /usr/sbin/nologin user