[179106] in North American Network Operators' Group
Re: FIXED - Re: Broken SSL cert caused by router?
daemon@ATHENA.MIT.EDU (Michael Brown)
Mon Mar 30 04:44:30 2015
X-Original-To: nanog@nanog.org
Date: Sun, 29 Mar 2015 23:55:50 -0400
From: Michael Brown <michael@supermathie.net>
In-Reply-To: <5518B5DF.2060105@tiedyenetworks.com>
To: Mike <mike-nanog@tiedyenetworks.com>, nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
That's something I suspected at first, it but discounted when your said you=
r laptop also failed at the site.
The first intermediate you installed =E2=80=8Etook care of anything with th=
e newer root certificates installed.
But for your older 10.4 Mac clients (which presumably haven't had a root ce=
rtificate bundle update in a while) that wasn't enough - the new root neede=
d to be provided since from their perspective it's an intermediate.
M.
=C2=A0 Original Message =C2=A0
From: Mike
Sent: Sunday, March 29, 2015 23:29
To: nanog@nanog.org
Subject: Re: FIXED - Re: Broken SSL cert caused by router?
On 03/28/2015 01:50 PM, Matt Palmer wrote:
> On Sat, Mar 28, 2015 at 09:05:38AM -0700, Mike wrote:
>> On 03/27/2015 10:34 AM, Frank Bulk wrote:
>>> Glad you figured that out.
>>>
>>> I've used three SSL evaluation websites to help me with intermediate ce=
rtificate issues:
>>> https://www.ssllabs.com/ssltest/analyze.html (will show the names and d=
etails of the certs, missing or not
>>> https://www.wormly.com/test_ssl (quick SSL tester, will point out if in=
termediate certificate is missing)
>>> https://www.digicert.com/help/ (will show a green chain link between ce=
rts when they're all there *and* in order)
>> I went back to Frank's list and did some additional testing. I have a
>> different server which was set up the same way as the previous one
>> discussed, and I thought I would use the above tools and see if my probl=
em
>> would have been identified by any of them. I am sorry to report, no, non=
e of
>> these either caught the problem either.
> Are you able to share the URL of the misconfigured site? It would be
> interesting to examine exactly what's going on.
>
> - Matt
>
SSLCertificateChainFile /etc/ssl/certs/gd_bundle-g2-g1.crt
I have actually fixed it.
What was going on seems to be this -
I have a new godaddy certificate for *.mydomain.com, and that is what I=20
installed. However, the certificate chain I supplied was missing some=20
intermediate godaddy certificate. Originally, it appeared I was missing=20
'gdig2.crt', and once installed, that fixed some clients including the=20
ones behind the meraki router. But then there were also some older=20
clients this did not fix (a macos 10.4 something for example). So I went=20
back and installed gd_bundle-g2-g1.crt in it's place, and that seems to=20
have finally done it.
I apologize for the diminishing lack of operational content. It just=20
seems that these ssl tests should be tightened up and perhaps some=20
additional tools deployed out there to help us less knowledgeable folks=20
'get it right'.
Mike-
