Friday, February 27, 2015

Why you don't trust me foxy browser?

I'm looking on my blog counters and realize how lucky I'm. Recently I've found a small configuration issue in my Apache 2.4 SSL configuration. It may not affect you at all especially you have one hoop  trust chain between you and your CA. But if stars have lined up in a bad way after system re-confguration you get this:

It means you have more then one  certificates in the trust chain, so  Firefox can't build it by hjmself. There is no information about trusted certificates. Normally it means HTTP server doesn't present the full chain  but certificate and issuer information.
It's very easy to fix:
Get all your CA certificates in PEM format. Concatenate them  into  single file. Do not forget to put them in proper order. If you have chain like this:

server-cert.pem → sub-ca2-cert.pem → sub-ca1-cert.pem → root-ca.pem

then you should build your file as:

# cat sub-ca2-cert.pem cub-ca1-cert.pem root-ca.pem >/etc/httpd/conf/ssl.certs/ca-certs-chain.pem

Open your SSL Enabled site definition and put another command to the configuration

SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca-certs-chain.pem

Save configuration files.

It's right time to notice - you may have as many chains as you need and maintain two virtual sites with non-matching trust chains, just put them into right place. Check configuration syntax 

#/usr/local/apache2/bin/apachectl -t

Syntax is Ok.

With OHS severs you have no choice - full stop and start. It is fast, but it means service break. With Apache you have a neat option - graceful restart.

#/usr/local/apache2/bin/apachectl -k graceful 

 After a while all sessions will use new configuration.

Will Firefox trust you after? It depends on CA issuer notoriety, at least now you present all your credentials.

No comments: