StartCom SSL intermediate certificate chain fix…

In the past year I’ve installed two SSL certificates from StartCom, for my two websites: amberandtrey.us, and eldon.me. Both of these sites (now) are running Debian Sid, and have almost identical configurations. For most browsers/devices I’ve tried, the StartCom SSL certificates work fine (notice the appropriate lock icon in the address bar [in Google Chrome/Chromium it’s a green lock icon]). However, on some devices–most notably my Samsung Galaxy S II running CyanogenMod 9.10, and my mother’s aging iMac–I get a message similar to the following following:

(Sorry for picking on you Midnight Commander, but yours is a website I know generates this error for me consistently. Maybe I can link to this post and have you fix that!)

Searching for the string “entity is not trusted” on the StartCom forums guided me to this posting, which suggests using a free tool called SSL Checker to verify that my SSL installation is complete and without problems. The site gives me the following:

So it is verified that my SSL certificate is not trusted by all browsers. They give a hint back to StartCom’s extensive FAQ. It led me to the Apache Web Server configuration page. I needed to copy both the ca.pem and sub.class1.server.ca.pem, and configure apache2 appropriately (in the sites-available/eldon.me configuration file). My configuration ended up being like this:



DocumentRoot /var/www/eldon.me
ServerName eldon.me
ServerAlias www.eldon.me
ServerAdmin trey@blancher.net
ErrorLog /var/log/apache2/wp-error.log
TransferLog /var/log/apache2/wp-access.log
RedirectPermanent / https://eldon.me



SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/ssl/certs/eldon.me.pem
SSLCertificateKeyFile /etc/ssl/private/eldon.me.crt
SSLCertificateChainFile /etc/ssl/certs/startcom_sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/startcom_ca.pem
DocumentRoot /var/www/eldon.me
Customlog /var/log/apache2/eldon.me-ssh-access.log combined
ErrorLog /var/log/apache2/eldon.me-ssh-error.log
HostnameLookups On



  Options FollowSymLinks
  AllowOverride Limit Options FileInfo
  DirectoryIndex index.php


I was missing the ChainFile and CACertificateFile, and I added the extra bits about CipherSuite and Protocol. Now the SSL Checker validates everything on eldon.me. The same configuration isn’t working for amberandtrey.us, the checker says “No SSL could be found,” yet my browser indicates SSL is active and enabled. I’ll have to do a closer comparison… [Edit 2013-01-27 0554 -0600]Looks like the SSL certificate is tied directly to www.amberandtrey.us (which redirects to amberandtrey.us). The opposite problem exists for eldon.me. If I have the SSL Checker scan www.eldon.me, it says “No SSL could be found.” Must be a difference in the way I set up the SSL certificates.

Now I can be sure that folks won’t have to click through an SSL warning when they visit my sites!

Leave a Reply