Wednesday, December 9, 2015

StartSSL and Fixed Red Android Chrome Padlock Issue (Cert Chain Problem)

StartSSL Certs get Green Padlock on Desktop Chrome but Red Padlock on Android Chrome?


If you see the image on the left, you may be able to turn it green.

BeforeAfter




Explanation and Fix

It seems to be that there is a Certificate Chain link that is not present in the Certificate which StartSSL gives you.  Very not obvious.

The site explains how to fix your certificate by creating a new certificate which incorporates the missing link in the chain.

Their instructions seem oriented for nginx webservers, but really it's not specific at all, just follow the instructions.

Instructions for fixup here:  https://www.startssl.com/?app=42



Start-to-Finish Instructions to create SSL Cert

Here are the notes I've taken for myself about a start-to-finish creation of a SSL cert using StartSSL.  Obviously I've glazed over the detail of using their site.

 
Step 1) SSH Key Gen (do this yourself)
--------------------------------------

> openssl genrsa -des3 -out server.key 2048
> openssl req -new -key server.key -out server.csr
> cp server.key server.key.org
> openssl rsa -in server.key.org -out server.key


Step 2) Start SSL (use their site)
----------------------------------

Go through loads of confusing steps which ultimately lead to you getting a server.crt after giving them the contents of your server.csr (signing request).



At this point you have server.crt and server.key.
These together are sufficient for:
- SSL to work on both Desktop and Android
- Green padlock on Desktop
- Red padlock on Android


The next step changes the Android Red padlock Green.



Step 3) Create actual final cert with full Certificate Chain
------------------------------------------------------------

https://www.startssl.com/?app=42 has instructions, summarized here.  Make sure you read the site and know you need the exact file I mention below, not everyone will.

In short, download the intermediate cert from their site, combine it with the server.crt into a single file which would be used exactly the same way as server.crt (but now works on Android).

Specifically:

> wget http://www.startssl.com/certs/sub.class1.server.ca.pem
> cat server.crt sub.class1.server.ca.pem > unified.crt

So the cert to use is unified.crt and the key is server.key.



Resources

I was led to solution from here: http://stackoverflow.com/questions/13862908/ssl-certificate-is-not-trusted-on-mobile-only

Analysis confirms chain issue: https://www.ssllabs.com/ssltest/analyze.html

This image is what I saw with the above analysis site, confirming the missing chain data in my cert, which turned out to the problem.





7 comments:

  1. Hey, I am so thrilled I found your blog, I am here now and could just like to say thank for a tremendous post and all round interesting website. Please do keep up the great work. I cannot be without visiting your blog again and again. 3PL warehouse service

    ReplyDelete
  2. Hey thanks for the post. Thanks Again. Want more.
    locksmith southfield

    ReplyDelete
  3. Acknowledges for penmanship such a worthy column, I stumbled beside your blog besides predict a handful advise. I want your tone of manuscript... best doctor for lasik surgery in delhi

    ReplyDelete
  4. The king casino no deposit bonus, free spins, bitcoin - CommunityKhabar
    No deposit bonus, free spins, communitykhabar bitcoin. No https://jancasino.com/review/merit-casino/ deposits ventureberg.com/ bonus. No withdrawals, bitcoin no deposit bonuses, free poormansguidetocasinogambling.com spins, https://septcasino.com/review/merit-casino/ bitcoin, 10k followers.

    ReplyDelete
  5. It have practically all to a device which helps in saving time during the planning of a websites. onohosting.com/

    ReplyDelete
  6. However should you do encounter an issue first a glance at|have a look at} our bother taking pictures guides and if that does not resolve the issue contact our staff to ask for assist. Please tell us kind of|the sort of} device may be} using and the version of the app . This will occur inside 24 hours though you could have to clear your browser cache and restart your device for this alteration to take effect. If find a way to|you possibly can} nonetheless access this url whereas BetBlocker is active, please clear your browser cache, restart your device and try out|and take a look at} again. And should you do not thoughts your story being revealed (we won't do this 우리카지노 with out your direct consent and we are going to remove any private information), find a way to|you possibly can} assist to encourage other people who are themselves} considering BetBlocker.

    ReplyDelete