cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

UCC SANS Certificate, still getting browser warnings

We just installed this yesterday. Using Firefox, I'm not getting the self-signed certificate warning, so it's working. However, the lock icon in the address bar has an exclamation point; click it and you get the warning that this site's owner can't be verified. Looking at the cert (as seen by Firefox) has most of the information left blank.

 

I ran an SSL checker on our main Website and it says that there's a "chain issue:" It contains an "anchor." GoDaddy's checker says that there's an "extraneous certificate" in the chain.

 

I've pored over my ssl.conf and can't find where another certificate is being loaded.

 

I use Apache 2.4 on Centos 7. Thanks!

1 REPLY 1
Highlighted

Re: UCC SANS Certificate, still getting browser warnings

OK, some more info. I've got a self-signed certificate in the chain somewhere. How in the devil do I find this thing and kill it? 🙂

 

[root@crawfordbroadcasting tls]# openssl s_client -showcerts -connect crawfordbroadcasting.com:443    
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain

 

Here's the pertinent section of /etc/httpd/conf.d/ssl.conf:

 

[root@crawfordbroadcasting conf.d]# grep -i certificate ssl.conf
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/crawford.crt
#   If the key is not combined with the certificate, use this
SSLCertificateKeyFile /etc/pki/tls/private/crawford.key
#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2-g1.crt
#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
# SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Obviously, the self-signed certificate that I experimented with is still being pulled in by Apache for some reason. I need to find it and kill it. If anyone has ideas, let me know. 🙂