Message Board

Bugs & Development

Older Posts ]   [ Newer Posts ]
 SSL chain incomplete
Author: D.Dd5   (19 Jun 18 6:11pm)
The SSL chain for https://www.projecthoneypot.org is incomplete. The AlphaSSL CA - SHA256 - G2 intermediate cert should be sent from your server as part of the chain, but it's not being sent currently.

In a browser, that's ok, but for most server applications it causes problems. Can you please add that missing cert to your intermediate chain?

Reference: https://www.ssllabs.com/ssltest/analyze.html?d=www.projecthoneypot.org
 
 Re: SSL chain incomplete
Author: J.Moore40   (20 Jun 18 8:54am)
We've experienced the same issue with the SSL certificate. Below is a curl output:

curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).

Please fix.
 
 Re: SSL chain incomplete
Author: Encino Stan   (20 Jun 18 10:36am)
The path looks valid to me. Do you have GlobalSign Root CA in your Trusted Root Certification Authorities?
 
 Re: SSL chain incomplete
Author: J.Moore40   (22 Jun 18 7:38am)
Hi Encino,

It's the Intermediate certificate which is missing. Causing the incomplete chain and trust issue.

Root is present.

Adding the Intermediate SSL certificate from AlphaSSL will fix the issue:

https://support.globalsign.com/customer/en/portal/articles/1223298-alphassl-intermediate-certificates

Below is the openssl test showing only one SSL certificate is offered at the moment and the corresponding trust issue: (Would expect the site SSL + intermediate, linking to the Root)

openssl s_client -showcerts -connect www.projecthoneypot.org:443
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/CN=*.projecthoneypot.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.projecthoneypot.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.projecthoneypot.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.projecthoneypot.org
i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=*.projecthoneypot.org
issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 2065 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 5FF8A0AB93107312340AB59496E64EA962D32C20070D6C82E8047EC1612C4F5A
Session-ID-ctx:
Master-Key: 4159838348BF6738C9F957F86CB409E317D4484F4DFA1878512810D13C1C4B53F459319B9780A7F7A36E87D8CC60B465
Key-Arg : None
Start Time: 1529667084
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
closed

Hope that helps!

Post Edited (22 Jun 18 7:50am)
 
 Re: SSL chain incomplete
Author: K.Naranek2   (25 Jun 18 12:10am)
https://www.ssllabs.com/ssltest/analyze.html?d=www.projecthoneypot.org

> This server's certificate chain is incomplete. Grade capped to B.



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–25, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email