Comodo PositiveSSL Firefox

Comodo PositiveSSL setup problem.

I’ve read a lot of forums and the Comodo instructions over and over, but I can’t get firefox to accept my SSL certificate. I keep getting, (Error code: secerrorunknown_issuer). Chrome and IE8 work fine, but firefox and the chrome mobile browser just don’t like it. I’m pretty sure it has something to do with the ca.bundle and that I’m just setting something up wrong.

Here’s what I’m working with:

  • Ubuntu / apache server

Comodo PositiveSSL

  • AddTrustExternalCARoot.crt

  • domain_com.crt

  • PositiveSSLCA.crt

  • UTNAddTrustServerCA.crt

    SSLEngine on

SSLCACertificatePath /etc/apache2/sslcerts/

SSLCertificateKeyFile /etc/apache2/sslcerts/domain.key

SSLCertificateFile /etc/apache2/sslcerts/domain.crt

SSLCertificateChainFile /etc/apache2/sslcerts/domain.ca-bundle

What exactly should be in the domain.ca-bundle and in what order? I’ve tried so many different combinations of the order in the domain.ca-bundle, but no luck. I keep reading about intermediate/chain certificate and that it must be missing or I just don’t have it setup properly. Any help would be greatly appreciated, thanks!

6 Replies

Maybe you disabled their CA certificate in Firefox back when they had that security incident a couple years ago?

The sslcertificatechain file needs to be the comodointermediate certificate, not the root ca. Looking at your post it might be you are referencing the root ca not the chain certifictate.

Update: I was issued a new certificate from Comodo support. The email I received from Comodo had a domain.ca-bundle file and domain.crt file. Inside the domain.ca-bundle file it appears to have the PositiveSSLCA.crt stacked on top of the UTNAddTrustServerCA.crt. I believe those are the intermediate certificates. Unfortunately every SSL checker that I use still says there is an issue with the certificate chain so I'm stilling plugging away at trying to find the correct solution.

It sounds still like your not referencing the correct chain certificate. If you can provide your hostname are I can test and provide you with what you need to do. Quite often you need to put the 3 certificates into one file, ie the server certificate file.

UPDATE: Good news, I got it working! Bad news, not entirely sure why. I copied a .ca-bundle from another one of my domains (don't know why I didn't think of this sooner…) that also uses a Comodo PositiveSSL certificate and it worked. I had been creating the .ca-bundle inside of notepad then pasting it into the file through putty so I suspect it was a formatting issue (maybe a trailing space or something I have no clue). After I pasted it in I'd go back through the file and fix the formatting, but something still must not have been correct. Has anyone had this happen to them, any suggestions how I might have prevented this to begin with?

For anyone with a Comodo PositiveSSL certificate the .ca-bundle in order from top to bottom that is working for me is: AddTrustExternalCARoot.crt, UTNAddTrustServerCA.crt, PositiveSSLCA.crt

I can't help with the certificate question, but you're correct that formatting may have gotten munged in the cut-and-paste process. Use SCP to copy files between your home system and your Linode. PuTTY comes with pscp, which works fine. Graphical file transfer client options for Windows include WinSCP and Filezilla.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct