StartSSL certificates isn’t trusted by several major browsers anymore and will probably lose all credibility and disappear from the market completely. In it’s place we have seen Let’s Encrypt growth explode for the last 18 months. This post will cover some background and how to use setup Let’s Encrypt on your Amazon EC2 Apache based server.
Phone browsers have less trusted root and intermediate certificates than many desktop browsers. This can make your https site look good on the web but fail on mobile devices. Errors like “unable to verify the identity of the server” and others along those lines can show up. This is because the certification chain can not be verified. Doesn’t matter what supplier of SSL certificates you use they all end up in a few root certificates that are shipped with browsers and operating system as trusted certificates.
Many certificate re-sellers have their root certificates further down that chain than others. If the chain can’t be traced back to a trusted certificate the warnings will show up. That will not effect the actual encryption of your website, self signed certificates for example still encrypts the traffic, but it will look bad. People can interpret that as a security risk, like a man in the middle attack, or as just low quality.
In this example I have setup a website on a Apache server with a certificate bought from GoDaddy. I haven’t installed the intermediate certificate. Any desktop browser can follow the chain, since it has a different set of trusted certificates, but the iPhone or Android devices can not since they don’t have this certificate. There is a hole in the chain between our website certificate and the trusted one that the device have. By plugging that hole with a valid certificate that our certificate references and in turn references the trusted certificate that the device have we can complete the chain and get rid of the problem.
As mentioned above this example uses a Apache web server running on Linux and a GoDaddy certificate. The procedure will be different with other web servers and certificate suppliers but the principal is the same. When your certificate is delivered always check if there is intermediate certificates included.
So in the zip file that your GoDaddy certificate comes in there is a file named dg_bundle-g2-g1.crt, this is the certificate that your web site certificate is derived from and sits between that and the trusted certificate higher up in the chain.
So on my Apache server I bring up the file /etc/httpd/conf.d/vhost.conf
<VirtualHost 172.30.31.95:80> ServerAdmin firstname.lastname@example.org DocumentRoot /var/www/html/somesite.com ServerName www.somesite.com ServerAlias somesite.com ErrorLog logs/somesite.com-error_log CustomLog logs/somesite.com-access_log common </VirtualHost> <VirtualHost 172.30.31.95:443> ServerAdmin email@example.com DocumentRoot /var/www/html/somesite.com ServerName www.somesite.com ServerAlias somesite.com ErrorLog logs/somesite.com_ssl-error_log CustomLog logs/somesite.com_ssl-access_log common SSLEngine on SSLCertificateFile /etc/pki/tls/certs/somesite.com.pem SSLCertificateKeyFile /etc/pki/tls/certs/somesite.com.key </VirtualHost>
As you can see we have two ports open, standard port 80 for http and https on port 443. The 443 have certificate along with it’s private key configured. Upload the intermediate certificate to the server and copy it into the same folder (/etc/pki/tls/certs) as the other certificate files. Make sure that the apache server have access to it.
sudo chown -R root:www /var/www
Then add the bundle file in the ssl config in vhost.conf by adding this line just below the SSLCertificateKeyFile line.
sudo service httpd restart
Now the certificate chain can be completed on the other devices as well and the error/warning will be gone!