StartCom SSL intermediate certificate chain fix…

In the past year I’ve installed two SSL certificates from StartCom, for my two websites:, and Both of these sites (now) are running Debian Sid, and have almost identical configurations. For most browsers/devices I’ve tried, the StartCom SSL certificates work fine (notice the appropriate lock icon in the address bar [in Google Chrome/Chromium it’s a green lock icon]). However, on some devices–most notably my Samsung Galaxy S II running CyanogenMod 9.10, and my mother’s aging iMac–I get a message similar to the following following:

(Sorry for picking on you Midnight Commander, but yours is a website I know generates this error for me consistently. Maybe I can link to this post and have you fix that!)

Searching for the string “entity is not trusted” on the StartCom forums guided me to this posting, which suggests using a free tool called SSL Checker to verify that my SSL installation is complete and without problems. The site gives me the following:

So it is verified that my SSL certificate is not trusted by all browsers. They give a hint back to StartCom’s extensive FAQ. It led me to the Apache Web Server configuration page. I needed to copy both the ca.pem and, and configure apache2 appropriately (in the sites-available/ configuration file). My configuration ended up being like this:

DocumentRoot /var/www/
ErrorLog /var/log/apache2/wp-error.log
TransferLog /var/log/apache2/wp-access.log
RedirectPermanent /

SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/certs/
SSLCertificateKeyFile /etc/ssl/private/
SSLCertificateChainFile /etc/ssl/certs/
SSLCACertificateFile /etc/ssl/certs/startcom_ca.pem
DocumentRoot /var/www/
Customlog /var/log/apache2/ combined
ErrorLog /var/log/apache2/
HostnameLookups On

  Options FollowSymLinks
  AllowOverride Limit Options FileInfo
  DirectoryIndex index.php

I was missing the ChainFile and CACertificateFile, and I added the extra bits about CipherSuite and Protocol. Now the SSL Checker validates everything on The same configuration isn’t working for, the checker says “No SSL could be found,” yet my browser indicates SSL is active and enabled. I’ll have to do a closer comparison… [Edit 2013-01-27 0554 -0600]Looks like the SSL certificate is tied directly to (which redirects to The opposite problem exists for If I have the SSL Checker scan, it says “No SSL could be found.” Must be a difference in the way I set up the SSL certificates.

Now I can be sure that folks won’t have to click through an SSL warning when they visit my sites!

Leave a Reply