0

I had SSL certificate from StarCom for a year, after I reissued new certificate and replaces files on my apache2 server with ubuntu. Since than, I can't access my website on mobiles. Unfortunately, iOS doesn't show any errors, just blank page.

I checked all SSL checkers and they all give me A+. Here's part of my config:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile /etc/ssl/domain/new/domain.crt
SSLCertificateKeyFile /etc/ssl/domain/new/private.key
# SSLCertificateChainFile /etc/ssl/domain/new/1_root_bundle.crt
SSLCACertificateFile /etc/ssl/domain/new/cer.crt

I spent whole night to find solution, but nothing. All certificates are valid, including CA. I tried to enable Chain, but no results anyway.

By debugging the iOS device using a Mac's Safari, I got this error:

Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “your.site.com” which could put your confidential information at risk.

Canzone
  • 3
  • 1
Spy
  • 17
  • 1
  • 7

1 Answers1

0

startcom is accepted on iOS, so the problem is in your server.

Probably you have misconfigured the certification chain. Configure SSLCertificateChainFile ensuring 1_root_bundle.crt has all the certificate chain from the leaf (your cert) to the root (not included). In the case of starcom i think they have 1 intermediate, so the chain will have two certificates

The chain is just a concatenation of PEM-encoded certificates. If you open 1_root_bundle.crt you will see a text like ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----

i am not sure if apache require the full chain in SSLCertificateChainFile attribute or only the intermediates. If you are using apache 2.4.8, you can include all certs in domain.crtand forget this attribute. See documentation

Remove also SSLCACertificateFile

pedrofb
  • 37,271
  • 5
  • 94
  • 142