SSL cert issues with mobile devices

musicdenotation · April 6, 2015, 9:24pm

I have an issue with my SSL certificate on some mobile devices, e.g.
Safari on iPhone and Firefox on Android. Everything seems to be fine
with desktop browsers as well as some mobile browsers (works fine on
Chrome on Android).

According to ssllabs.com the issue is with the Certificate Chain and/or
the Certification Path:

This server’s certificate chain is incomplete. Grade capped to B.

Certificates provided 1 (1331 bytes)
Chain issues Incomplete

Certification Paths
Path #1: Trusted
1 Sent by server www.mydomainname.com
RSA 2048 bits (e 65537) / SHA256withRSA
2 Extra download Go Daddy Secure Certificate Authority - G2
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store Go Daddy Root Certificate Authority - G2
Self-signed
RSA 2048 bits (e 65537) / SHA256withRSA

Here are my ssl settings:

server {

### other settings ommited

listen                      localhost.mydomainname:443  ssl;

ssl_certificate_key

C:/ssl-certificates/mydomainname.key; ## may be stored in
certificate file (i.e. .pem)
ssl_certificate
C:/ssl-certificates/mydomainname.crt; ## .crt or .pem

ssl_trusted_certificate     C:/ssl-certificates/gd_bundle-g2-g1.crt;

ssl_stapling                on;
ssl_stapling_verify         on;

keepalive_timeout           70;                     ## minimize ssl

handshake overhead
ssl_session_timeout 5m;

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;  ## removes SSLv3

which is on by default and is vulnerable to POODLE attacks
ssl_prefer_server_ciphers on;
}

How can I fix this?

TIA!

–

Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/

Igal_S_Lucee.org · April 6, 2015, 9:33pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 04/06/15 12:23, Igal @ Lucee.org wrote:

Certificates provided 1 (1331 bytes) Chain issues Incomplete
[…]
ssl_certificate C:/ssl-certificates/mydomainname.crt; ## .crt
or .pem

You need to get a copy of your intermediate certificate authority’s
certificate (in your case, that Go Daddy Secure Certificate Authority

- G2 or probably https://certs.godaddy.com/repository/gdig2.crt, check
  Repository to make sure) and concatnate it
  at the end of your mydomainname.crt.

This way you are presenting a chain of certificate (your certificate,
then intermediate certificate that have signed your certificate; you
don’t need to include the root certificate as it’s a waste of
bandwidth) to the client.

Cheers,

Xin LI [email protected] https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)

iQIcBAEBCgAGBQJVIt9cAAoJEJW2GBstM+nsXBoP/3QrCKtBezAh51tym2BeVyRA
eShkpqu8Sfh+hzXJZYuLd/1l/IIW8H40LU8bdrXcuyZ6RUl/damrlb2z7qx7PXAU
MRBb2YF7ohicdzwzcpMDSnpx+573WeSdDE6s9Ne/EPbotHr8meHv+L83O3qR+D9u
b4kfhasvhRYz1rUgGXj/66h1S1ExTu1Pp9MJJfxZ1e/2l3TNkJLRE4A8flUy2rq4
rXzjiWupoyBWXtNem8t0o3Caag+7W6bvj9k8EqNDA87G575o8p4QuEt/ImoC82Bi
ZHtcM9fGt5m6120DX7eTjfEcaaM9xfqACLrhtuBEQs4u1EPAZ1CwBkF2ONfW+sWZ
qyZtjfVlvkiF4hWi0N2vAW9apsFGT6MA2cv4bBO7EQAjmTmJdZt3oV6VCzOdM8AZ
cBbsm+jlc0LmGc2OWP59G+8loJYmI4dRPDkHB34TphavjrAfilewlEoLh3xNBT9b
pkMU7R1Xa1DOxL5+xPhfJlFEHLQEzFc9T0e1BXtNVNw0WZrpRzRRMjVJKp1ei3Mf
AyCoWUK2fIK7ZFMNCFu94G4S8KGhn092HqtjJKj/0ps9kTW5oPBdxf5WfFJvfEQy
HU08D7MIDdBBMZEZxHGx9zMUvRU6Ip6Iu4puiq/0/mzr4LwKJMfEiFtpL9wlSRpm
D599/YGgDOC/An2bAx89
=ItVn
-----END PGP SIGNATURE-----

Igal_S_Lucee.org · April 6, 2015, 10:39pm

Thank you Xin!

I appended gdig2.crt to my domain’s certificate, and commented out the
ssl_trusted_certificate and the ssl_stapling directives, and it did the
trick.

Many thanks,

Igal Sapir
Lucee Core Developer
Lucee.org http://lucee.org/