Forum OpenACS Q&A: ssl certs - firefox compatible

Collapse
1: ssl certs - firefox compatible
Posted by allan regenbaum on 04/12/05 03:52 PM
Im updating a SSL cert on an old ACS 3.4 system. It seems that the newer certs now have an "intermediate" certificate which is required by Firefox, else the cert shows up as invalid. On IE it works fine.

Does anyone have any experience with this , has anyone used a certificate from godaddy.com on older acs (or newer acs) systems, that uses this extra intermediate certificate.

Any help is appreciated

Collapse
2: Re: ssl certs - firefox compatible (response to 1)
Posted by Patrick Giagnocavo on 04/12/05 04:10 PM
I think the part you need to add is

ns_param CADir (the full path to the directory you want it to look in for the file)

ns_param CAFile (I give it the full path and filename of the cert bundle)

I also recommend that you set

ns_param Protocol SSLv2

if and only if you experience strange connection errors, or the server appears to lock up after several hours or days of use.

Collapse
3: Re: ssl certs - firefox compatible (response to 1)
Posted by Torben Brosten on 04/12/05 04:40 PM

Entrust distributed an "intermediate" chain certificate with some of their certificates, but stopped doing that this year[1].

The chain certificate is appended to the certificate file, starting on a new line, so certfile.pem would look something like this: 

-----BEGIN CERTIFICATE-----
..(series of alphanumeric characters)..
-----END CERTIFICATE-----       
-----BEGIN CERTIFICATE-----
..(series of alphanumeric characters)..
-----END CERTIFICATE-----

1. http://www.entrust.net/customer_support/webserver.cfm

Hope that helps,

Collapse
4: Re: ssl certs - firefox compatible (response to 1)
Posted by allan regenbaum on 04/12/05 09:51 PM
I tried to concat the files ... in fact godaddy sent me a concatendated file which they called their "CA bundle" ..this did not help .... I also added the params suggested to the nsd.tcl but that did not help .... aolserver reports

Bsafe error 524

..which from the docs seems to be from http://quimby.gnus.org/internet-drafts/draft-baldwin-bsafe-00.txt it seems that this is

"invalid encoding format for input data"

It seems that acs 3.x / and that generation of aolserver does not support recent changes in cert generation ? Spoke to other folks who have also not been sucessful using certs from godaddy.

if anyone has suggestions, it would be appreciated, else ill need to use a Thawte cert.

Collapse
5: Re: ssl certs - firefox compatible (response to 1)
Posted by Patrick Giagnocavo on 04/12/05 10:19 PM
I have to ask what version of AOLserver (the web server) you are using, and where did you download it from?

The BSafe error seems to indicate that you are using a very old version, which might not have support for the intermediate certs.

What you can do if you still have problems is to use a proxy program such as Pound or Stunnel to handle the SSL for you, then pass the connection on to AOLserver. This will let you use your AOLServer as installed, but allow you to have support for the latest SSL features.

Collapse
6: Re: Re: ssl certs - firefox compatible (response to 4)
Posted by Guan Yang on 04/12/05 10:29 PM

Allan, try to connect to your server using the following command, and post the output: 

openssl s_connect -client hostname:https -crlf

This should display the certificate that's actually presented to the client.