Jul 8, 2013

Fix Untrusted Chain Issue With Firefox and GnuTLS

I have GnuTLS setup on numerous Apache web servers. It's just better than OpenSSL because with GnuTLS I can use the more secure TLSv1.1 or TLSv1.2. The only problem I've had with it, until now is that it's trusted by every browser I've used with the exception of Firefox.

When I browse to one of my GnuTLS enabled sites in Firefox I get an error saying The certificate is not trusted because no issuer chain was provided.

In the Apache config files using OpenSSL it's easy, you can specify a chain file, but in GnuTLS you can't. There is a way of making it work though.

Just open your server certificate with your favorite text editor, and open the intermediate certificate in another text editor, then copy the contents of the intermediate certificate to the end of your server certificate and save it. Restart Apache and you should be right as rain now!

If you are doing this on your server you can append the end of the intermediate cert to your server cert by running the following command:
cat intermediate.crt >> server.crt
If you have any questions, let me know. For some reason there isn't a lot of documentation out there for GnuTLS yet.

Enhanced by Zemanta

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam