Message Board

Bugs & Development

Older Posts ]   [ Newer Posts ]
 SSL chain incomplete
Author: D.Dd5   (19 Jun 18 6:11pm)
The SSL chain for https://www.projecthoneypot.org is incomplete. The AlphaSSL CA - SHA256 - G2 intermediate cert should be sent from your server as part of the chain, but it's not being sent currently.

In a browser, that's ok, but for most server applications it causes problems. Can you please add that missing cert to your intermediate chain?

Reference: https://www.ssllabs.com/ssltest/analyze.html?d=www.projecthoneypot.org
 
 Re: SSL chain incomplete
Author: J.Moore40   (20 Jun 18 8:54am)
We've experienced the same issue with the SSL certificate. Below is a curl output:

curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).

Please fix.
 
 Re: SSL chain incomplete
Author: Encino Stan   (20 Jun 18 10:36am)
The path looks valid to me. Do you have GlobalSign Root CA in your Trusted Root Certification Authorities?
 
 Re: SSL chain incomplete
Author: J.Moore40   (22 Jun 18 7:38am)
Hi Encino,

It's the Intermediate certificate which is missing. Causing the incomplete chain and trust issue.

Root is present.

Adding the Intermediate SSL certificate from AlphaSSL will fix the issue:

https://support.globalsign.com/customer/en/portal/articles/1223298-alphassl-intermediate-certificates

Below is the openssl test showing only one SSL certificate is offered at the moment and the corresponding trust issue: (Would expect the site SSL + intermediate, linking to the Root)

openssl s_client -showcerts -connect www.projecthoneypot.org:443
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/CN=*.projecthoneypot.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.projecthoneypot.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.projecthoneypot.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.projecthoneypot.org
i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=*.projecthoneypot.org
issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 2065 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 5FF8A0AB93107312340AB59496E64EA962D32C20070D6C82E8047EC1612C4F5A
Session-ID-ctx:
Master-Key: 4159838348BF6738C9F957F86CB409E317D4484F4DFA1878512810D13C1C4B53F459319B9780A7F7A36E87D8CC60B465
Key-Arg : None
Start Time: 1529667084
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
closed

Hope that helps!

Post Edited (22 Jun 18 7:50am)
 
 Re: SSL chain incomplete
Author: K.Naranek2   (25 Jun 18 12:10am)
https://www.ssllabs.com/ssltest/analyze.html?d=www.projecthoneypot.org

> This server's certificate chain is incomplete. Grade capped to B.



do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–20, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email