SSL certificate problem on most https websites

Similar Messages

• Safari client certificate problem w/ Canada Post website

  I am using OSX 10.8.5 and Safari 6.1.1
  I'm trying to use the Canada Post website for online shipping (ship-in-a-click) via the site:
  http://www.canadapost.ca/personal/tools/cst/intro-e.asp
  When I choose my option (in this case INTERNATIONAL) a pop-up opens asking to select a client certificate. A list of five certificates, which are all apparently valid and not expired, is given. No matter which certificate I select I cannot get past this pop up window. It just pops back up again.
  The certificates are all in the form:
  com.apple.idms.appleid.prd. then a very lengthy alpha numeric string
  From what I have read with certificate problems you can just delete them and next time you visit the site will ask you to select a new one. However, in this case, with all the certificates seemingly being valid, I don't think that will be the solution. Although, I am a complete novice when it comes to these issues.
  Can anybody suggest something other than using Firefox/Chrome etc. although if that is the ONLY choice then so be it. But surely this can be solved within Safari, no? The rest of the Canada Post site seems to behave OK with Safari.
  Thank you.

  Neither.  I am on Mavericks and it shows the exact same issue, so it neither fixes the problem or intoduces new ones, at least with my site.
  I also noticed that it is somewhat based on the loction (IP) of the server because on my local laptop (During development) and on our QA server would try and send a certificate that it should not send.  HOWEVER once we implemented the SSL client certificate on our production server it would no longer send the certificate.  I have no idea why and speculate that it is because our production server has a public IP.
  If you want you can use my site and see if the problem persists for you there (http://whf.to); however given the seemingly random why Safari decides to send certificates you may or may not see the issue.  If Safari does indeed send a certificate you should get an error page that details what happened (in somewhat lay-terms).
  Sorry that Mavericks doesn't fix the issue for you.

• SSL + Certificate problems solved

  To all of you who are having problems with Weblogic and Verisign Certificates.....
  Here is what I got from BEA:
  To solve this problem, review the corresponding configuration for our demo certificates
  and
  then proceed to similar Verisign setups.
  Once WLS 6.0 is started, proceed to a browser and open the console. Move to the
  servers
  tree, expand it, chose your server and move to its SSL tab.
  WLS demo 512 bit certificate
  1. Server Key File Name -> demokey.pem
  2. Server Certificate File Name -> democert.pem
  3. Server Certificate Chain File Name -> ca.pem
  WLS 1024 bit Demo Certificate
  1. Server Key File Name -> demokey1024.pem
  2. Server Certificate File Name -> democert1024.pem
  3. Server Certificate Chain File Name -> ca1024.pem
  Trial Verisign Certificates - 2 week expiration
  When you initially make the request, the following two files are generated:
  a. mycomputer_bea_com-key.der
  b. mycomputer_bea_com-1024cert.pem
  Once Verisign acknowledges the request, you are given instructions to install
  the
  certificate as well as use test CA's for each browser, IE and Netscape. You will
  need to
  save the test CA and use this in the SSL configuration.
  1. Server Key File Name -> mycomputer_bea_com-key.der
  2. Server Certificate File Name -> mycomputer_bea_com-1024cert.pem
  3. Server Certificate Chain File Name -> testca.der (obtained from the installation
  to each
  client browser)
  Purchased 1 year 1024 bit certificate from Verisign.
  As in the case of the trial certificate, much is the same except that no CA is
  forwarded.
  1. Server Key File Name -> mycomputer_bea_com-key.der
  2. Server Certificate File Name -> mycomputer_bea_com-1024cert.pem
  Now what to specify as the CA?
  Using any of the other CA's will generate the modulus exception. The only recourse
  in this
  event is to do the following:
  1. go to http://www.verisign.com/repository/root.html
  You'll find Class I to Class III root certificates and a Server CA.
  Take the plain text Server CA and save this to a file.
  2. Use a conversion utility, which can be found within OpenSSL, to convert the
  plain text
  to a .der format.
  3. Once the conversion is complete, this CA.der can be used as the Server Certificate
  Chain
  File Name.

  as in mail to CC_AA with scenarios, and Private Messages, happens WIN Vista and 7. IE 9 and 10. 3 diff machines, Dell laptop home, 2 Dell Desktops work. I always clear / delete top 4 items via Internet options approx. twice a week, first thing I did along with clearing SSL state. From CC homepage, click SIGN-IN in left side black box. Enter ID and Password, SIGN IN -> . Returns to CC homepage. Click on EMAIL box below the black box, get:There is a problem with this website's security certificate.     The security certificate presented by this website was issued for a different website's address. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website.  Click here to close this webpage. Continue to this website (not recommended). More informationIf you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com. For more information, see "Certificate Errors" in Internet Explorer Help. Address bar shows "https://login.comcast.net/login........" Interesting, for secure site no security icon appears on the address bar. On Home page, if instead I click arrow in Email box, I see a preview of my mail. Then I have to click "View Inbox" lower left corner of popup, and Inbox comes up..... 

• SSL Certificate Problem

  I finally took the plunge and brought our chat server back up to Leopard. I'm in an SSL mess right now.
  I got a new cert for the server from Thawte (got the ApacheSSL cert, which is what I had successfully used on Tiger Server.)
  I started the process by creating a new CSR in Server Admin (advanced server), sent the CSR to thawte, they signed and returned the cert. Went back to server admin, imported it, and it looks good!
  Well, I selected the cert in the iChat service and clients cannot login. They can login with the Default cert (but get the warning message).
  ...and we see the following in the iChat service log:
  Jan 7 07:27:48 chat jabberd/c2s[6453]: failed to load local SSL pemfile, SSL will not be available to clients
  So, I looked in /etc/certificates and it looks good:
  chat:certificates herb$ ls -la
  total 72
  drwxr-xr-x 12 root wheel 408 Jan 7 07:24 .
  drwxr-xr-x 124 root wheel 4216 Jan 7 07:25 ..
  -rw-r--r--@ 1 root wheel 0 Jan 5 13:35 .defaultCertificateCreated
  -rw-r--r-- 1 root wheel 660 Jan 5 13:35 Default.crt
  -rw-r----- 1 root certusers 1551 Jan 5 13:35 Default.crtkey
  -rw-r----- 1 root wheel 534 Jan 5 13:35 Default.csr
  -rw-r----- 1 root certusers 891 Jan 5 13:35 Default.key
  -rw-r--r-- 1 root wheel 1155 Jan 7 07:24 chat.northampton.edu.chcrt
  -rw-r--r-- 1 root wheel 1306 Jan 7 07:24 chat.northampton.edu.crt
  -rw-r----- 1 root certusers 2269 Jan 7 07:24 chat.northampton.edu.crtkey
  -rw-r----- 1 root wheel 720 Jan 5 14:09 chat.northampton.edu.csr
  -rw-r----- 1 root certusers 963 Jan 7 07:24 chat.northampton.edu.key
  I am really at a loss, any ideas?
  I notice that in the jabberd c2s.conf configuration file:
  <!-- File containing a SSL certificate and private key to use when
  setting up an encrypted channel with the router. If this is
  commented out, or the file can't be read, no attempt will be
  made to establish an encrypted channel with the router. -->
  <pemfile>/etc/certificates/Default.crtkey</pemfile>
  Now that is odd since I chose the chat.northampton.edu cert!
  Later in the file we do see references to the chat.northampton.edu cert so I left that entry alone. Later I read that first entry is okay the way it is.
  Any help appreciated!

  Here's how to get iChat Server working with a real SSL cert. Also, in my case users come from Open Directory (on a Novell eDirectory directory). So this solution kills 2 birds with one stone.
  1. Set up your server, in my case a new install. Install updates NOW, not later!!!!!!!
  2. In Server Admin, clicked Certificates, then the + sign to create a new cert.
  3. Fill in appropriate info, such as Common Name (DNS name of your server!), Organizational Unit, etc.
  4. Enter a 24 character passphrase. (Good security please!)
  5. Click Save, then second middle button to create a CSR.
  6. Drag the CSR icon into the place for the CSR on the thawte(Verisign, whatever) request page. Or email the CSR to them.
  7. Verify the CSR on the thawte(Verisign, whatever you're using) site. The information should match what you entered for Common Name, etc.
  8. Submit it to them for signing; get the reply from them.
  9. Go back into server admin | Certificates, select the my.domain.com cert, click the button and select "import signed..."
  10. Paste the response from thawte(Verisign, whatever) in there, then click save.
  You should now see that the cert is trusted and the certifying authority (thawte, etc) listed, where it used to say Self-signed.
  Fire up web services and see if it your new cert works for web. If it does, continue on.
  Your new cert may or may not work for Jabber. If it does, well you're done. If it doesn't...
  1. Ensure you've selected the cert for iChat in Server admin. (I know, it doesn't work yet.)
  2. Either Remote Desktop to your server and open Terminal or ssh in and get a prompt. BECOME ROOT!! sudo su -
  3. Take a look in /etc/certificates.
  4. You should see a my.domain.com.key file and a my.domain.com.crt file.
  Now using vi, pico, or whatever look at the .key file. Do you see DES encryption lines in there? If you do, your private key is encrypted with your passphrase.
  5. Make a copy of my.domain.com.key (Let's call it my.domain.com.jb)
  5a. Make a copy of my.domain.com.crt (Let's call it my.domain.com.crt.jb
  6. Decrypt the private key: (Remember you're root!) openssl rsa -in my.domain.com.jb -out my.domain.com.jb
  It will ask you for your passphrase.
  7. Create a new file containing your public key (my.domain.com.crt), and combine with the decrypted private key (my.domain.com.jb):
  cat my.domain.com.jb >> my.domain.com.crt.jb
  8. Rename my.domain.com.crt.jb to my.domain.com.crtkey.jb
  9. Change ownership of my.domain.com.crtkey.jb to root:jabber ( chown root:jabber my.domain.com.crtkey)
  Not done yet....
  10. Change perms / ownership of my.domain.com.jb to match your original .key file.
  EDIT /etc/jabberd/c2s.xml
  1. Amend the settings in the local section (under the ssl-port 5223 line) to:
  /etc/certificates/my.domain.com.crtkey.jb
  1a. I also commented out the cachain line in that area. You may not need to but I did.
  2. No matter how tempting, do NOT touch anything else at this time. Trust me.
  Leave the 0.0.0.0 IP's alone; where you see your Default cert, leave it be!
  Done editing.
  3. Restart ichat service (don't touch the settings in the Admin application)
  On the iChat client set connect using SSL, port 5223.
  All should work.
  To get OD logins to work, comment out cram-md5 authentication, like this:
  Hopefully the code comes out in the pose there. If not, it's the fix from the Apple:
  http://docs.info.apple.com/article.html?artnum=306749 (option 2)
  Thanks to MacTroll from AFP548, and Tim Harris at Apple Discussions for their collective pieces in solving this!!

• Ssl certificate problem under lion (mail,safari)

  Hello,
  After a timemaschine backup recovery to my imac (mid 2010) lion os x 10.7.1 there is a strange behavior with ssl certificates in mail and safari !
  Every time mail starts new it ask me to trust my mobile.me ssl certificate, what i do of course, but at the next start it appears again, same for ssl websites in safari every time a ssl popup to accept...
  What i have done til now:
  Repair permissions
  drag the ssl certificate icon in the popup to the desktop and accept it manually
  keychain utility edit all these ssl certificate and accept manually
  mail:reenter account passwords accept ssl certificate again
  reset keychain
  this behavior appears at all account on the imac
  ssl certificate are marked in the keychain utility as trusted
  now I'm at the end of my knowledge....
  can anybody please help, please !
  Thanks
  Tobias

  Hi Simon,
  As suggested by “TP” check where the certificate is stored. The certificate must be installed in the personal certificate of the computer account and not your personal account. Also you can check by running below command in command prompt to check
  where the issue is going wrong as stated by “Alan” in this thread.
  certutil -f –urlfetch -verify <your_certificate>.cer
  In meanwhile, also go through beneath link for more information.
  1.  How to Import a Server Certificate
  2.  Exporting/Importing SSL Certificates Between Windows Servers
  Hope it helps!
  Thanks.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• RDS SSL Certificate Problem

  Hi
  We've bought an SSL certificate for use on our RDS Session Host connector. We've imported it but when we try to select it in RDS settings we get a message saying 'There are no certificates installed on this Remote Desktop Session Host server'. If I try to
  use it in RemoteApp Manager under Digital Signature Settings I can select it without issue. We don't have Gateway installed and ideally don't want to, we just want to put a certificate on the connector.
  Is there any advice anyone can give me to get this working?
  Many thanks 
  Simon Whittington

  Hi Simon,
  As suggested by “TP” check where the certificate is stored. The certificate must be installed in the personal certificate of the computer account and not your personal account. Also you can check by running below command in command prompt to check
  where the issue is going wrong as stated by “Alan” in this thread.
  certutil -f –urlfetch -verify <your_certificate>.cer
  In meanwhile, also go through beneath link for more information.
  1.  How to Import a Server Certificate
  2.  Exporting/Importing SSL Certificates Between Windows Servers
  Hope it helps!
  Thanks.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SSL Certificate problem in the Oracle http server

  Hi,
  I have setup the oracle http server (OHS 11g) in linux machine and we created a virtual directory to access a web application.
  In NON SSL connection it is working fine but when we try use the SSL connection we are not able to access the web application the port (4443) is not up.
  Require help in this issue ?
  regards,
  Suresh G
  Edited by: Sangeetha on Jan 3, 2013 12:13 PM

  Hi Suresh,
  Did u check the port ??
  Also cud you paste the steps u followed do configure SSl on Ohs ??
  Cheers :-)

• SSL certificates problems

  hi,
  has anyone also problems with self signed certificates and ios5?
  my certificates used for ipsec connections show up as "untrusted" in the certificate profiles and ipsec vpn does not work anymore.
  a second device with ios4.3 shows the same certificates as trusted.
  any ideas?

  Finnaly, after hours and hours of trying, I found the solution for myself without any support from apple (try to reboot your ios device... :-/).
  The SSL certifiactes MUST NOT use MD5 as signature alg.
  Using SHA (1,2) solves the issue. The CA is not affected by this (the CA still can use MD5 for its own public key), bute the user-certificate has to use something else then MD5....

• SSL Certificate problem with WL 5.1

  "We are still using WLServer 5.1 SP12
  I just installed a new certificate (request generated with WL, signed by our 'local' CA)
  I always get the following message:
  Do Okt 10 15:17:25 CEST 2002:<I> <WebLogicServer> Loaded License : /apps/weblogic/license/WebLogicLicense.xml
  Do Okt 10 15:17:25 CEST 2002:<I> <WebLogicServer> Server loading from weblogic.class.path. EJB redeployment enabled.
  java.lang.StringIndexOutOfBoundsException: String index out of range: 15
  at java.lang.String.charAt(String.java:506)
  at weblogic.security.ASN1.ASN1Utils.parseDateInt(ASN1Utils.java:300)
  at weblogic.security.ASN1.ASN1Utils.inputASN1Date(ASN1Utils.java:292)
  at weblogic.security.X509.input(X509.java:118)
  at weblogic.security.X509.initialize(X509.java:64)
  at weblogic.security.Certificate.<init>(Certificate.java:54)
  at weblogic.security.X509.<init>(X509.java:44)
  at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:207)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:318)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:238)
  at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1245)
  at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:879)

  hi
  Did you solved it?
  If it is may i know how you solved it
  thanks

• [solved] dovecot errors after renewing SSL certificate

  System:
  OS X Server (Mountain Lion) 2.2
  Using a single SSL Certificate for all services.
  Symptom:
  Users can't log into their IMAP accounts hosted on OS X Server (Mountain Lion) after renewing SSL Certificate
  Diagnostics:
  Give you an indication whether it's this problem. Some or all may apply:
  Log shows all kinds of dovecot errors. e.g.
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  config: Fatal: Error in configuration file /Library/Server/Mail/Config/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf shows commented out lines:
  ssl_cert
  ssl_key
  ssl_ca
  Solution:
  Go to the Certificates pane of the Server App  and choose Secure Services Using: Custom
  Set IMAP and POP server certificates to to None
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf
  Now set Secure Services Using: <My single SSL Certificate for all services>
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf and you should now see all the ssl* settings as you would expect, and pointing to the correct SSL certificate  in /etc/certificates
  Hope this works for you too!

  I had something similar happen. When I do anything with SSL certificates it deletes any regular websites. Only the sites that are setup for https are listed.
  Couldn't understand why my website wasn't working and it turned out that the system had deleted it. The web server had multiple host set and I had to rebuild all the ones that had used port 80. All the ones that use 443 were fine.
  Hope this helps.

• Web server type of standalone oc4j needed for SSL Certificate

  Hi,
  We have a standalone oc4j 10.1.3 that hosts an application whose many of its pages use https and so we need to buy SSL certificate from any of CAs like Verisign, GeoTrust, etc.. All of these CAs are asking us about the web server type that the standalone OC4J uses. I read the following statement from this url:
  http://download.oracle.com/docs/cd/B32110_01/web.1013/b28950/intro.htm#JICON100
  "communications in a standalone environment is provided through the built-in *_OC4J Web server_*, which supports HTTP and HTTPS communications natively without the use of the Oracle HTTP Server"
  On all of the SSL certificate systems of above CAs websites, they ask us to choose the web server type from a list of server types but I don't see OC4J web server listed and I am told that it is very important to make sure the web server type is correct otherwise the SSL Certificate that we buy may not be compatible with our web server type.
  So, I like to know the exact built in web server type name that goes with Standalone OC4J or one that is closest and for which SSL Certificate is compatible.
  Shown below is a list of web server types that I am asked to choose from on Verisign website.The closest to standalone oc4j according to below list is Oracle Wallet Manager but isn't this meant for Oracle Application Server (OAS) and not the standalone OC4J? we are using the java keytool to generate the CSR that we look to sign it via the verisign but again we are not sure about the web server type in the case of standalone OC4J that is not listed below. Please advice and thanks in advance to any of your responses in helping out.
  Webstar 4.x
  ApacheSSL mod_ssl
  WebLogic 6.0
  WebLogic 8.1
  Cisco
  ACS 3.2
  Covalent
  Apache ERS 2.4
  Apache ERS 3.0
  F5
  BIG-IP
  IBM
  Websphere MQ
  HTTP Server
  Lotus
  Domino 5.0
  Domino 6.0
  Domino 7.0
  Domino 8.0
  Windows NT - IIS 4.0
  Windows 2000 - IIS 5.0
  Windows 2003 - IIS 6.0
  Windows 2008 - IIS 7.0
  Exchange 2007
  iPlanet 4.x
  iPlanet 6.x
  ScreenOS
  SSL Accelerator
  Oracle Wallet Manager_
  Secure Web Server
  SSL Offloaders
  Stronghold
  Java Web Server 6.x
  Sun ONE
  AS Server w/IIS 4
  AS Server w/IIS 5
  EA Server
  Tomcat
  Zeus

  Hi Zeus,
  Type of certificate depends the method you will use to deploy the certificate on your application server.
  Please refer the links,
  http://download.oracle.com/docs/cd/B31017_01/web.1013/b28957/configssl.htm
  http://download.oracle.com/docs/cd/B14099_19/core.1012/b13995/wallets.htm#ASADM400
  http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
  Regards,
  mYth

• Only firefox is reporting my SSL certificate as revoked. How can I fix this issue?

  I have recently re-keyed and re-installed an SSL certificate on my server (https://beta.alicorsolutions.com:2087) running WHM on linux.
  The SSL certificate is passing all the 3rd party SSL tests (https://www.ssllabs.com/ssltest/analyze.html?d=beta.alicorsolutions.com) and works perfectly fine in Chrome and IE. However, in Firefox I get an error page that says: "Peer's Certificate has been revoked. Error code: sec_error_revoked_certificate".
  After doing some searching, I can see that the problem is specific to firefox and the only way everyone else seems to be fixing the problem is by turning off OCSP under Preferences > Advanced > Validation.
  This of course is not an acceptable long-term solution. I need to fix this issue as quickly as possible, ay help at all would be appreciated. Please let me know if there's any other information I can provide that would assist you in solving this issue.

  hello jcsarda, it's only working in chrome because its security settings are more relaxed per default (when you set chrome to check for certificate revokation in settings > advanced > HTTPS/SSL it shows the same error for me). i don't know about IE...

• Office Web Apps Server SSL Certificate

  Hi
  I am deploying Office Web App Server for Integration with Lync 2013. I opted for secure communication with SSL Certificate. I want this server available to internal and external users.
  I am little confused over CA for Issuance of SSL Certificate. On most of the forums, I found SSL Certificate to be issued by Internal CA. If so, will this also work for external users?
  If not, then plz guide me for Generating Certificate Request on Office Web App Server to be submitted to External CA for Issuance of Certificate.
  Regards.

  Hi,
  Thanks for your posting in this forum.
  I have moved this thread in Lync Server 2013-Management, Planning, and Deployment forum for more dedicated support.
  Thanks for your understanding.
  Best Regards,
  Wendy
  Wendy Li
  TechNet Community Support

• How to install SSL certificate on OSX 10.9.5?

  Hello,
  I purchased an SSL certificate from RapidSSL for my website. Somehow I am supposed to install this on my Mac but they are not able to provide me with instructions (great service). Can anyone help me?
  Thanks!

  sorry for hijacking but I have a related question to do with certificates.
  I had to set up virtual domains manually instead of through the GUI and the server ssl site is now locked to a certificate that is about to expire and no longer needed, I can't change the certificate in the web gui because it was created manually, I can't delete the certificate because it is assigned to the server ssl website and I can't manually edit the conf files to point to a different certificate becasue it breaks it, any ideas?

• Trying to import ssl certificate

  I renewed our entrust certificate and one of their new requirements is to import a cross certificate into keychain. When I do this nothing happens and this is the error I get,
  /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access: Couldn't create temp file /Library/Keychains/~wN8D9LGpk8Am-cD6: Permission denied
  I checked permissions and this is what I got
  314844 88 -rwsr-sr-x 1 root wheel 43028 Feb 21 2008 ./Library/PreferencePanes/MySQL.prefPane/Contents/Resources/mahelper
  Any help would be greatly appreciated.

  I'm not sure why you're checking permissions on the MySQL.prefpane. That has nothing to do with SSL certificates.
  The most obvious cause of the 'Permission denied' message would be that you're not running as root when you try to import the certificate. Are you using sudo?