EssentialSSL (Comodo) certificates are not validated on Ubuntu

I got a muffler for a Ford and it doesn't fit my car..

(year, make, and model would be kind of helpful..)

curl -v https://sbarnea.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

python (similar command, via requests):
requests.exceptions.SSLError: [Errno 1] _ssl.c:509: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I also added a full log inside the gist.

os: Linux-3.11.0-13-generic-x86_64-with-Ubuntu-13.10-saucy
python 2.7.5+ (default, Sep 19 2013, 13:48:49)
[GCC 4.8.1]
requests: 2.1.0

As a note EseensialSSL is an intermediate certificate and I also tried to add the certificate manually into /etc/ssl/certs/ and run `update-ca-certificates` but this had not effect on any of the tests.

On 12/17/2013 12:42 PM, Sorin Sbârnea wrote:
> As a note EseensialSSL is an intermediate certificate and I also tried
> to add the certificate manually into /etc/ssl/certs/ and run `update-ca-
> certificates` but this had not effect on any of the tests.

You're doing it wrong..

Intermediate certificates are *not* a part of ca-certificates, nor
should they be added; custom local CA root certificates are *not* added
to /etc/ssl/certs, read the documentation for ca-certificates; finally,
the posted askubuntu post is garbage..

The Comodo CA root that signed the EseensialSSL intermediate is already
in ca-certificates (one of these..) and should be linked in
/etc/ssl/certs/ by default:

$ ls /usr/share/ca-certificates/mozilla/Comodo_*
/usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
/usr/share/ca-certificates/mozilla/Comodo_Secure_Services_root.crt
/usr/share/ca-certificates/mozilla/Comodo_Trusted_Services_root.crt

Next would be to properly set up a web server which includes the
EseensialSSL intermediate certificate to be handed to the client, which
then follows the chain to the trusted root. I assume a similar link was
included with the server certificate:

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=964

For non-apache web server software, consult your documentation for
proper intermediate certificate chaining.

There are lots of sysadmins using EseensialSSL server certificates with
Debian/Ubuntu client software using various tools like curl and python
able to establish a chain of trust. It first takes setting up the web
service properly.

I sincerely doubt this is an actual bug and is simply user error.

--
Kind regards,
Michael

https://comodosslstore.com/checksslcertificate.aspx looks like a good
place to test that your certificate is properly installed, along with
your intermediate, as per the install instructions.

My suggestion would be that once the above test passes, *then* test your
custom software/scripts.

--
Kind regards,
Michael

MIchael, the https://comodosslstore.com/checksslcertificate.aspx does not report any issues with the certificate, nor the browsers.

Still, I manually installed these certificates, and voila CURL suddenly started to validate the certificate:

wget -q --timestamp -O /usr/local/share/ca-certificates/EssentialSSLCA_2.crt 'https://support.comodo.com/index.php?_m=downloads&_a=downloadfile&downloaditemid=62'
update-ca-certificates

Thanks

This report seems to indicate more information
that http://www.sslshopper.com/ssl-checker.html#hostname=sbarnea.com

Yep, I missed to add the intermediary certificate, but for some strange reason browsers didn't say anything, usually they say that's not trusted.

Please close it, I do not see any option for closing it.

Hoping I can close after re-assigning...

On 12/17/2013 01:54 PM, Sorin Sbârnea wrote:
> MIchael, the https://comodosslstore.com/checksslcertificate.aspx does
> not report any issues with the certificate, nor the browsers.

hrm.. Firefox 26 (plain-jane tar install) does not validate your SSL
chain, complaining about the missing issuer certificate.

Do you have a SSLCertificateChainFile config line in Apache with the
bundle in the install KB article? (Or similar for whatever web server
you are running?)

> Still, I manually installed these certificates, and voila CURL suddenly
> started to validate the certificate:
>
> wget -q --timestamp -O /usr/local/share/ca-certificates/EssentialSSLCA_2.crt 'https://support.comodo.com/index.php?_m=downloads&_a=downloadfile&downloaditemid=62'
> update-ca-certificates

Right, this works as expected. However, you are trusting the
intermediate CA *locally* and not for all users. By the way, this is
the correct way to install local *root* certs, and that intermediate is
not a root. :)

--
Kind regards,
Michael