I'm running lighttpd/1.4.28 (ssl) on Debian Squeeze. I just created a http://startssl.com certificate, I runs fine at all of my Browsers (Firefox, Chrome, Opera), but my users are reporting certificate-errors in Firefox. I already nailed it down to a failing of loading of the certificate chain:
Certificate at my Firefox: http://i.stack.imgur.com/moR5x.png
Certificate at others Firefox: http://i.stack.imgur.com/ZVoIu.png (Note the missing StartCOM-certificates here)
I followed this tutorial for embedding the certificate in my lighttpd: https://forum.startcom.org/viewtopic.php?t=719
The relevant parts of my lighttpd.conf look like this:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/etc/lighttpd/certs/ca-bundle.pem"
ssl.pemfile = "/etc/lighttpd/certs/www.bisaboard.crt"
}
ca-bundle.pem was created like this: cat ca.pem sub.class1.server.ca.pem > ca-bundle.pem
I grabbed the relevant files from here: http://www.startssl.com/certs/
www.bisaboard.crt was created like this: cat certificate.pem ssl.key > www.bisaboard.crt
Where certificate.pem is my StartSSL-Class1 Certificate and ssl.key my SSL-Root-Key.
Do you have any idea why the second Firefox does not correctly load the certificate-chain?
Best Answer
Your webserver doesn't seem to present the intermediate certificates correctly, the reason it works in your own browser is probably because you've downloaded and installed them locally yourself.
Why don't you just download the ca bundle they already prepared for you at http://www.startssl.com/certs/ca-bundle.crt and use that for the
ssl.ca-fileoption?