UCC SANS Certificate, still getting browser warnings
We just installed this yesterday. Using Firefox, I'm not getting the self-signed certificate warning, so it's working. However, the lock icon in the address bar has an exclamation point; click it and you get the warning that this site's owner can't be verified. Looking at the cert (as seen by Firefox) has most of the information left blank.
I ran an SSL checker on our main Website and it says that there's a "chain issue:" It contains an "anchor." GoDaddy's checker says that there's an "extraneous certificate" in the chain.
I've pored over my ssl.conf and can't find where another certificate is being loaded.
Re: UCC SANS Certificate, still getting browser warnings
OK, some more info. I've got a self-signed certificate in the chain somewhere. How in the devil do I find this thing and kill it? 🙂
[root@crawfordbroadcasting tls]# openssl s_client -showcerts -connect crawfordbroadcasting.com:443
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
Here's the pertinent section of /etc/httpd/conf.d/ssl.conf:
[root@crawfordbroadcasting conf.d]# grep -i certificate ssl.conf
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# certificate can be generated using the genkey(1) command.
# If the key is not combined with the certificate, use this
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Obviously, the self-signed certificate that I experimented with is still being pulled in by Apache for some reason. I need to find it and kill it. If anyone has ideas, let me know. 🙂