Page MenuHomeMiraheze
Create Task
Maniphest T2687

Incomplete cert chain for PositiveSSL certs
Closed, ResolvedPublic
Actions

Description

Examples: 1, 2

Both are issued by "COMODO RSA Domain Validation Secure Server CA" with organizationalUnitName "PositiveSSL Domain Control Verified" and are generating "Incomplete chain" error according to SSL Labs.

We are sending "COMODO RSA Certification Authority", but not "COMODO RSA Domain Validation Secure Server CA", which is http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt

I think we only have PositiveSSL DV certs ([Citation needed]), so maybe rename Comodo to PositiveSSLDV with the correct CA cert? (There are OV CA, EV, and Comodo ECC CA. What a mess)

Revisions and Commits

rSSL SSL configuration
rSSLf052c183ae3f Replace reviwiki.info.crt and add PositiveSSLDV CA

Related Objects

Event Timeline

revi created this task.Feb 4 2018, 10:50
Herald added subscribers: Southparkfan, PokestarFan, Brynda1231 and 2 others. · View Herald TranscriptFeb 4 2018, 10:50
revi added a comment.Feb 4 2018, 10:54

And verified these two certs are only Comodo certs, using phab.

revi triaged this task as Normal priority.Feb 4 2018, 10:56
Reception123 added a subscriber: John.Feb 4 2018, 10:57

@John any ideas about why there's this incomplete chain error?

revi moved this task from Incoming to TLS on the revi board.Feb 4 2018, 11:41
revi added a comment.Feb 4 2018, 12:18

certificate/reviwiki.info.crt(the old one) has correct leaf and intermediate (hereinafter int.) certificates by LE, and ssllabs correctly recognizes it.

However for certificate/private.revi.wiki.crt, it has correct leaf and int. cert in the repo, but ssllabs is not recognizing the int.

This is really... weird. I'll try bundling int. in CA folder as "PositiveSSLDV" and test it on reviwiki.info (which I have a new cert with same CA)

revi added a commit: rSSLf052c183ae3f: Replace reviwiki.info.crt and add PositiveSSLDV CA.Feb 4 2018, 12:54
revi added a comment.EditedFeb 5 2018, 18:14

This was somewhat blocked by T2691: Puppet errors on servers caused by permission changes on puppet1 (puppet-users), and after it was fixed, I realized it didn’t fix it, I made it worse. (It’s now not sending int.) Will have to rollback to Comodo tomorrow.

Reception123 added a comment.May 2 2018, 08:46

@revi This should be working now?

revi added a comment.May 4 2018, 16:02

Teampaper Snap_2018-05-05 01-00-53@2x.png (302×1 px, 42 KB)

Nope.

Paladox subscribed.May 20 2018, 15:25
revi updated the task description. (Show Details)May 20 2018, 15:41
Paladox added a comment.EditedMay 20 2018, 16:11

Fixed in https://github.com/miraheze/ssl/commit/876969c4fd733156d277eef20f2725bcc8e6e338

We have to add the ca to the cert at the bottom of it.

Paladox added a comment.May 20 2018, 16:20

and also fixed in https://github.com/miraheze/ssl/commit/a2287844856a9b9a4a1db54e89a98c7c85c124c9

John closed this task as Resolved.May 20 2018, 17:05
John assigned this task to Paladox.