when the full certificate chain bundle is not properly installed in your server
some certificates appear to be INVALID and report errors like
“Verify return code: 21 (unable to verify the first certificate)”
The PROBLEM
——————————————————————————-
The problem turns out to be that the server isn’t configured to provide the full issuing
certificate chain all the way back to the root SSL certificate. An intermediate certificate
must be installed in your server.
Failure to install “the intermediate certificate” creates problems in both web browsers
and command line ssl programs that do not already contain that intermediate certificate
There are simple fixes for both:
* NGINX
* APACHE SERVERS
Get the Certificate Bundle – GoDaddy
——————————————————————————-
wget https://certs.godaddy.com/repository/gd_bundle.crt -O gd_bundle.crt
Get the Certificate Bundle – InstantSSL
——————————————————————————-
Commodo WARNS – YOU NEED AN UPDATED CERTIFICATE BUNDLE TO USE THEIR CERTIFICATES
Apache users should use the bundle file on the support page instead of
the Comodo and GTE certificate:
If you do not install the bundle file you will receive not trusted messages
when you go to the secure area of your web site.
you can get a list of server bundles to choose from here
…………………………………………………………………
https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0
…………………………………………………………………
The Solution On NGINX
——————————————————————————-
you just need to append the cert bundle onto your existing cert:
$ cd /etc/ssl/certs/
/etc/ssl/certs$ wget https://certs.godaddy.com/repository/gd_bundle.crt
/etc/ssl/certs$ cat gd_bundle.crt >> myssl.crt
http://wiki.nginx.org/NginxHttpSslModule
The Solution On Apache
——————————————————————————-
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.serverdensity.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.serverdensity.com.key
SSLCertificateChainFile /etc/httpd/ssl/gd_bundle.crt
Checking for the Problem
——————————————————————————-
openssl s_client -showcerts -connect http://www.yourhosthere.com:443
# check the line “Verify return code”:
intermediate certificates may already be installed in these browser versions:
——————————————————————————-
-Internet Explorer 5.01 and higher
-AOL 5 and higher
-Netscape 4.7 and higher
-Opera 7.5 and higher
-Safari on Mac OS X 10.3.4 and higher
-Mozilla (all versions)
-Firefox (all versions)
-Konqueror (all versions
-Palm OS 6.1 and higher (also Treo 650)
-BlackBerry OS 4.1 and higher
-Sony Playstation Portable 2.5 and higher
-Microsoft Windows Mobile 2005 AKU 2 and higher
-Sun Java Runtime (JRE) 1.4.2_07 and higher and 1.5.0_02 and higher
-ACCESS NetFront 3.3 and higher
-Cingular WAP Gateways (any Cingular phone which uses WAP version 1.X for Web browsing)
Checking for the Problem
——————————————————————————-
openssl s_client -showcerts -connect http://www.yourhosthere.com:443
# check the line “Verify return code” against the following list of codes
Certificate Diagnostic Codes (from http://www.openssl.org/docs/apps/verify.html)
——————————————————————————-
0 X509_V_OK: ok
the operation was successful.
2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
the issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete.
3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL
the CRL of a certificate could not be found.
4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate’s signature
the certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys.
5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL’s signature
the CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused.
6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key
the public key in the certificate SubjectPublicKeyInfo could not be read.
7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
the signature of the certificate is invalid.
8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure
the signature of the certificate is invalid.
9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid
the certificate is not yet valid: the notBefore date is after the current time.
10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
the certificate has expired: that is the notAfter date is before the current time.
11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
the CRL is not yet valid.
12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
the CRL has expired.
13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate’s notBefore field
the certificate notBefore field contains an invalid time.
14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate’s notAfter field
the certificate notAfter field contains an invalid time.
15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL’s lastUpdate field
the CRL lastUpdate field contains an invalid time.
16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL’s nextUpdate field
the CRL nextUpdate field contains an invalid time.
17 X509_V_ERR_OUT_OF_MEM: out of memory
an error occurred trying to allocate memory. This should never happen.
18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.
19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain
the certificate chain could be built up using the untrusted certificates but the root could not be found locally.
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate
no signatures could be verified because the chain contains only one certificate and it is not self signed.
22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
the certificate chain length is greater than the supplied maximum depth. Unused.
23 X509_V_ERR_CERT_REVOKED: certificate revoked
the certificate has been revoked.
24 X509_V_ERR_INVALID_CA: invalid CA certificate
a CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose.
25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded
the basicConstraints pathlength parameter has been exceeded.
26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
the supplied certificate cannot be used for the specified purpose.
27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
the root CA is not marked as trusted for the specified purpose.
28 X509_V_ERR_CERT_REJECTED: certificate rejected
the root CA is marked to reject the specified purpose.
29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
the current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. Only displayed when the -issuer_checks option is set.
30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch
the current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set.
31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch
the current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate. Only displayed when the -issuer_checks option is set.
32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing
the current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing.
50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
an application specific error. Unused.
Podjacker's Blog 