stand-alone SSL intermediate certificate

I hate to keep bugging Greg about this, so going to ask the forum for assistance. First, is there anybody out there using a stand-alone server w/ an SSL? And if so, does your SSL authentications require an intermediate certificate (or bundle) that goes between your server certificate and private key? On top of that, does Firefox recognize the certificate chain?

The reason I’m asking is because I’ve set my .crt file accordingly, and inserted the appropriate intermediate certificate. Firefox is complaining about an ‘untrusted connection’ because it can’t find the intermediate certificate to complete the chain. IE11 and Chrome do not suffer from this issue, because they seem to either fetch or bypass the intermediate certificates altogether. So, I guess my question is… do you have stand-alone w/ and SSL working, and are able to view your site on Firefox (for the first time) without it complaining about the certificate?

You can test your site here too, and see if it works:

or here:

If any of those complain about a broken certification chain, then you’re having the same issue I have. Trying to determine if it’s a configuration error, a bad SSL intermediate CA that I got from my vendor, or if Xojo isn’t properly sending this information. Thanks!

I am just taking a stab at this as I dealt with something similar and a mail server I was working with. I have no idea if this is your problem or will work, but… What I had to do was create a certificate chain file. I did something like cat cert-a cert-b cert-c > final-cert … Then use final-cert. They have to be in order as well. It was a while ago, but maybe that will give you something to google on.

Only taking a stab since I noticed this was posted 11 hours ago w/no response yet.

Thanks for the response, Jeremy. With the Xojo setup, it’s a little bit different. Other servers (ie. Apache), you do are you’ve just suggested and make a CA-bundle; however, Xojo (in this blog: states that you create your own .crt text-based file and pastes the following in this order:

  1. Certificate
  2. CABundle - One or more intermediate certificates from the company that issued your certificate. The order of these don’t appear to matter.
  3. Private Key

Like you, I’ve always had to have in intermediates in order; however, in the blog it states that doesn’t appear to be the case in this situation. The more I look into this, I think it’s because Xojo isn’t dealing/handling those intermediates correctly. If this was all tested in IE or Chrome, or even FF with a certificate that was already put into place by you visiting a site previously that used the same trusted intermediate certificate, then you won’t have any issues and everything will SEEM fine. This is where the external testing sites I linked previously come into play. They will reveal if there’s an issue, directly from how the server processed and represented the information, if there’s something broken or not.

There is… and now I’m trying to find out what. It could be a configuration error, though I’ve tried everything. I swapped certificate order, added and removed the root certificate within the bundle (although this is frowned against). Still I get the same result.

Excuse the typos… not sure why it won’t let me edit the post.

One thing I’d like to add too… Greg has been working with me trying to get to the bottom of this too. I don’t think this guy sleeps, as he’s always on the forum helping people out. This also goes for Norman and a few others. These guys are what is going to keep my subscription going and moving forward with Xojo.

Geoff, I hope you know how great these guys are… :stuck_out_tongue:

I had myself cloned a few years ago… Works wonders.

I had an issue with FF I think with a cert from GoDaddy when using haproxy. I think the problem was that the other browsers trusted the authority for the intermediate and FF didn’t. I added the intermediate’s authority into the file and then things were good. They did have to be in the proper order though.

Firefox requires a full intermediate chain for its verification, as a safeguard. It definitely makes working with SSLs a more pain-in-the-ass; however, it does so because it requires the SSL to be implemented properly where as other browsers are forgiving. All the SSL sites I test with:

They ALL report there’s an issue with the intermediate chain being broken. This confirmation means it’s not the browser. It’s the server (ie. Xojo). The site certificate and the private keys are being passed to the client properly from the server… but somewhere in the translation, the intermediates are not (at least on my end). Could it be a configuration problem on my end? It could be, but I’ve tried EVERY THING I can think of. Different encodings, different intermediate CAs from my SSL vendor, different orders, etc. Nothing works. A SIMPLE way to see if it is Xojo is to have somebody else with a stand-alone running an SSL w/ the --securePort:#### argument run their site through one of the links I posted above. The easiest and quickest is the middle one:

If you get an icon at the bottom of the result with a broken red-arrow, and an exclamation notification regarding a broken certificate chain… then it is Xojo.

For what it’s worth… Xojo JUST supported SSLs in the stand-alone very recently. I would expect a few bugs. Also, this bug could be difficult to have found because unless somebody was actively looking at test results, or had the issue I luckily ran into… they may have never noticed. Any of the following scenarios would cause the secured page to load just fine:

Using any other browser except FireFox
Using FireFox, but the intermediate certificate was previously installed from visiting another site that uses it also

If you just started using Firefox (fresh install), or have elevated security settings, or never visited a previous site that used the same intermediate issuer as your certificate… you’d be greeted with this screen:

Firefox ships with a more restricted set of root certificates than Chrome, etc. I noticed this a year and a half ago when I started playing with the not explicitly advertised SSL support. The solution is to get a more expensive, more mainstream cert or inform you customers what to do with Firefox.

My root is already included within Firefox. It’s my intermediate that is not.

[quote=105984:@Eric Brown]My root is already included within Firefox. It’s my intermediate that is not.

Yeah, that’s what I meant. The point is, it’s a Firefox problem, not a Xojo problem.

The tests I link will fail regardless of what browser you’re using. It doesn’t even test your browser. It tests the server directly…

So, how is that a Firefox issue again?

If Firefox includes the root, that’s all it needs to. The intermediate is signed by the root, so Firefox should trust it, and any certs that the intermediate signed.

Here’s a hint for you…

[quote=106016:@Brad Hutchings]Here’s a hint for you…[/quote]

I’m definitely already well aware of how to construct this file. Thanks, though.