Nginx – Some users receive untrusted SSL certificate warnings

nginxssl-certificate

I've been getting reports of users visiting our site getting "this certificate is not trusted" errors when visiting our site via https. I don't seem to ever have any problems, but two separate people on my team have gotten this error randomly when they're on a different wifi network other than the one at our office. They don't have the same problem at the office.

I read up on intermediate certificates but this seems to be just a browser thing, not a network related issue.

I have an SSL cert from GoDaddy, it's on a Rails app running on nginx + unicorn.

Does anyone have any other ideas why this might happen? I'm pretty stumped.

I do get the below (redacted) when running openssl s_client -connect $hostname:443.

CONNECTED(00000003) depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0

Best Answer

This issue is related to adding the entire certificate chain -- for me, I needed to concatenate a gd_bundle.crt file into my distributed certificate and re-upload it to the server. I was able to verify that it worked by using an online SSL checker.

Related Solutions

SSL Error: self signed certificate in certificate chain

You don't need the root certificate in the chain (though I don't believe having it hurts anything).

That error is more of a warning from openssl in this case I think. I believe what it means is just that openssl doesn't know that it should trust the root certificate of that chain. If you pull out just the root certificate from that bundle and point that openssl command at it with the -CAfile argument I expect that "error" should go away.

Inside the sf_bundle.crt file you should see two

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

blocks (possibly with plain text above each block showing what certificate the block contains). If you split each of those blocks into its own file so you end up with block1.crt and block2.crt you should be able to run openssl x509 -noout -subject -in <file.crt> on each of them to get their respective certificate subject lines.

Assuming that block2.crt has a subject line of /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority you should then be able to run openssl s_client -CAfile block2.crt -connect imap.domain.ltd:465 and that should, hopefully, connect without giving you the self-signed certificate error.

Understanding the output of openssl s_client

The answer (as explained in this security.SE post) is that the two GeoTrust Global CA certificate you see in the chain are in fact not the same certificate, one is derived from the other.

Because of CA Cross-signing!

When the GeoTrust Global CA certificate was first created and signed, no computer/browsers/applications would have had it in their trust store.

By having another CA (with a pre-existing reputation and distribution) sign the GeoTrust root CA cert, the resulting certificate (referred to as a "bridge" certificate) can now be verified by the second CA, without the GeoTrust root CA certificate having to be trusted by the client explicitly.

When Google presents the Cross-signed version of the GeoTrust root CA cert, a client that doesn't trust the original can just use the Equifax CA cert to verify GeoTrust - so Equifax acts as a kind of "legacy" trust anchor.

Best Answer

Related Solutions

SSL Error: self signed certificate in certificate chain

Understanding the output of openssl s_client

Because of CA Cross-signing!

Related Topic