I have a few sites that have SSL Certificates installed. When an SSL request is made with my employer's iPhone, this error message is displayed:
Accept Website Certificate
The certificate for this website is invalid. Tap Accept to connect to this website anyway.
I've pulled up the same pages in other browsers, including Safari, and they do not show any issues with the certs.
These two URLs exhibit the problem:
https://www.powerlunchbunch.com/index.php?template=join&nav=20
https://www.councilonagingmartin.org/index.php?template=donate&nav=257
Additional Information:
Both SSL certs are issued by Network Solutions
The sites are hosted on Rackspace Cloud Sites
Update:
I now have an open ticket with Rackspace for this issue. I browsed the same sites in Firefox 4.0 Beta 7, and got this warning page, telling me that "The certificate is not trusted because no issuer chain was provided.":
I think it's because you (or your hosting company) haven't configured the full certificate chain on your web server.
Take a look at a report from an ssl checker, such as this:
http://www.sslshopper.com/ssl-checker.html#hostname=www.councilonagingmartin.org
...
I can see from this report that you're using Apache2.2. Configuring 'intermediate certificates' on Apache2 goes something like this:
SSLCertificateFile /etc/ssl/crt/yourDOMAINNAME.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCertificateChainFile /etc/ssl/crt/chainCert.xxx
I don't know if you configured the certificate yourself, or your hosting company configured it, so you'll either need to contact your hosting company, or the certificate provider, who can provide the intermediate certificate(s).
Hope That Helps
Unfortunately, the Root CA for both those certificates, Network Solutions, L.L.C. is not a trusted certificate authority on the iPhone.
If you look at the certificate chain, it does end up at AddTrust, which is a trusted CA on the iPhone.
So you likely have one of the following problems:
1) Your certificate is not installed correctly on the web server
2) You need to work with Network Solutions (the SSL cert issuer) to get a cert that properly chains to AddTrust.
Related
I am getting ERR_CERT_REVOKED in iPhone while accessing our website which uses a GoDaddy SSL certificate. It works fine on Laptop on all browsers but gives this error on iPhone.
Godaddy is facing an AutoSSL technical issue where they are not able to renew the SSL certificate. Mine has been down for 2 days now and has contacted their support multiple times. No permanent fix as of now.
You can do these steps which can put you in the queue for AutoSSL renewal. They haven't mentioned a timeframe for the resolution of this issue, unfortunately.
Steps:
Go to Cpanel of Hosting
Select SSL/TLS
Select Generate, view, upload, or delete SSL certificates.
Delete all self-signed certificates
Go to Cpanel and select SSL/TLS Status
Select all domains you want to renew and click Run AutoSSL
This will put your domain in the queue for renewal.
God knows when these guys will resolve the issue and renew it though.
Basically our iOS app needs to communicate with a server which has a self signed certificate for now. In my app, the https is failing with untrusted server certificate which is understandable. The error is like this:
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “my host name here” which could put your confidential information at risk."
So I sent the self signed certificate via email to the iOS device and imported into the profiles and hoping that it would be used as part of root CA for https authentication. To my surprise, it is not and I am still getting the same error. I think that iOS would be default to use root CAs at keychain to validate the server certificate and from what I read, the imported certificate at profiles are at keychain as well. So I could not understand why my imported self signed certificate is not used as root CA.
At this point, I don't really want to trust this self signed certificate via the coding like this iOS authenticate HTTPS with self-signed certificate or In iOS, how to connect to a server using https with self-signed certificate on the server? since this won't work in customer case where they would install our server on their network and they could create their own self signed certificate.
Somehow I didn't really get much information around this from searching. Could anyone shed some lights here and what I need to do to debug this? Thanks very much.
Update on July 15:
More update around this. I also tried to use configuration profile to add a self signed CA to root CA at the iOS device by following Adding Trusted Root Certificate Authorities to iOS , from my testing on 6.0 iPad and iPhone, it doesn't work as well. So not sure if that only works on jail broken device or not. In the end, I end up by allowing user to import a self signed certificate into the app. The app would load such imported certificate for certificate verification similar to this In iOS, how to connect to a server using https with self-signed certificate on the server?. Hope that it would help others in this case.
looking at the first tutorial you linked to you should be able to use that or some more advanced form of that and once you have tested and have it working then all you have to do for a client to create and add their own certificate would be to override/replace the localhost.cer file in the apps folder where the file localhost.cer "or whatever name scheme you use" is located. there are many ways to do this but one could be telling the app a link where the certificate is online for download and once downloaded, then replace.
Any questions I'll try and help further but hopes this helps you in the right direction.
I have this weirdest problem. First off: I'm VERY new to this certificate thingy. I've done a fair amount of searches and reading up though.
The CA Cert that I install into the Trusted Root Certificate
Authorities store in my server automatically get removed/disappeared
as soon as a client web-browser try to connect to a web-site using an
SSL cert created with that CA cert.
DETAILS:
Windows Server 2008 R2 (development server).
I've created my own Certificate Authority Cert; which I use it to generate an SSL server cert (to install on my IIS 7 Server) and a client cert (for use at my local PC to connect to the WCF Webservice on the development server which is set to Require SSL and Require Client Cert).
I installed the CA Cert into the Trusted Root on both Server and local PC.
Installed the SSL server cert into the IIS7 for that particular site and did the https binding to port 443.
As soon as I launch my browser to access that site with HTTPS, the CA
cert in automatically removed on the server (from the Trusted Root
Certificate Authorities store). and my local PC browser will report
an error 403.
This is driving me nuts... anyone knows what is happening?
Apparently, after a lot of running around, it is due to too many of the same certs in many stores.
I open the MMC.exe > Add/Remove SnapIns > Certificates
Notice there are 3 types there (My User Account, Service Account & Computer Account).
Open up My User and Computer Account, go through all the stores for each one and DELETE all of the CA cert with the same name. Then add the CA cert in either My User Account or Computer Account, depending on how you access the certs (in the event of the cert being used programatically, install it in the Computer Account, [Trusted Root Certificate Authorities].
Just 1 place, then the problem will dissappear.
I want to support HTTPS in my web application. Since the certificates from Verisign are costly, I decided to use openssl for generating certificate. Here is the link I referred https://community.jboss.org/wiki/JBossAS7ConfiguringSSLOnJBossWeb
When I tried to access the application in browser I got the error "The site's security certificate is not trusted". Here is the screenshot,
Please let me know how I can solve this error? Is it possible to use openssl in production?
The issue is that your self signed certificate is not 'trusted' by the browser. It does not recognise it as signed by one of the certificate authorities it trust.
You have two options - tell the browser it can trust the certificate or tell the browser that it can trust the entity which issued it (meaning that if you use the same certificate to sign other certificates; that those also get trusted).
See http://googlechrometutorial.com/google-chrome-advanced-settings/Google-chrome-ssl-settings.html for more information. Once you are in 'Manage certificates' you can import your own ones.
Every browser, every users, will have to go through those steps. So that is practical logistical limit on how much 'production' you can run with this.
Do check out the various 'free' certificates; they are very low cost.
MAC SOLUTION: The best way that I've found for manually trusting specific site certificates is to use Safari. See, when you manually trust a certificate in Safari, it requires you to enter your OS X account password. Safari does this because it stores the certificate details in Keychain Access, a system application that manages all vital data you store on your computer.
This is significant because Chrome also communicates with Keychain Access. Once the program has a record of the certificate being trusted by Safari, Chrome will also trust the certificate. You may have to restart the Chrome browser after activating the certificate in Safari to get this to work correctly.
Happy browsing!
I want to install the cacert ssl certificate on a server on which i want to host secure (https) facebook applications .I want to know if facebook allows https server to have cacert certificate to fetch facebook app
Yes. As long as you have a valid browser cert you will be fine. I have specifically used GoDaddy's ca certificate chain with a secure Facebook app with no difficulty.
For the majority of cheap shared hosting environments you don't necessarily need to purchase individual ssl as long as the server has a shared SSL as discussed here.