<?xml version="1.0"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0">
  <channel>
    <title>Transition Technology: Ticket #165: Security certificate warning on new server</title>
    <link>http://localhost:8080/trac/ticket/165</link>
    <description>&lt;p&gt;
Users are getting site untrusted warnings: is all well with the security certificate on new servers?
&lt;/p&gt;
&lt;p&gt;
"Just one comment - when I try to connect to the login page, my browser
is telling me that the site is untrusted and that the connection can not
be verified. Are there some additional steps you need to take to ensure
that the site connects securely?
&lt;/p&gt;
&lt;p&gt;
The browser reports that your site is using an invalid security certificate."
&lt;/p&gt;
</description>
    <language>en-us</language>
    <image>
      <title>Transition Technology</title>
      <url>/trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg</url>
      <link>http://localhost:8080/trac/ticket/165</link>
    </image>
    <generator>Trac 0.12.5</generator>
    <item>
      
        <dc:creator>ed</dc:creator>

      <pubDate>Mon, 08 Nov 2010 13:01:28 GMT</pubDate>
      <title>component changed</title>
      <link>http://localhost:8080/trac/ticket/165#comment:1</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/165#comment:1</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;component&lt;/strong&gt;
                changed from &lt;em&gt;Drupal modules &amp; settings&lt;/em&gt; to &lt;em&gt;Live server&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
        &lt;p&gt;
here's another enquiry:
&lt;/p&gt;
&lt;p&gt;
...When I try to register with your website I get the following warnings, which
I think understandably, makes me wary of proceding any further:
&lt;/p&gt;
&lt;p&gt;
This Connection is Untrusted
&lt;/p&gt;
&lt;p&gt;
You have asked Firefox to connect
securely to www.transitionnetwork.org, but we can't confirm that your
connection is secure.
&lt;/p&gt;
&lt;p&gt;
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
&lt;/p&gt;
&lt;p&gt;
What Should I Do?
&lt;/p&gt;
&lt;p&gt;
If you usually connect to
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Mon, 08 Nov 2010 13:49:48 GMT</pubDate>
      <title>hours, totalhours changed</title>
      <link>http://localhost:8080/trac/ticket/165#comment:2</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/165#comment:2</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;hours&lt;/strong&gt;
                changed from &lt;em&gt;0.0&lt;/em&gt; to &lt;em&gt;0.5&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;totalhours&lt;/strong&gt;
                changed from &lt;em&gt;0.0&lt;/em&gt; to &lt;em&gt;0.5&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
        &lt;p&gt;
That's odd, I've created a wiki page which you could point people with this problem to and ask them to follow the suggestions on it.
&lt;/p&gt;
&lt;p&gt;
&lt;a class="ext-link" href="http://wiki.transitionnetwork.org/Security"&gt;&lt;span class="icon"&gt;​&lt;/span&gt;http://wiki.transitionnetwork.org/Security&lt;/a&gt;
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>ed</dc:creator>

      <pubDate>Mon, 08 Nov 2010 15:25:09 GMT</pubDate>
      <title></title>
      <link>http://localhost:8080/trac/ticket/165#comment:3</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/165#comment:3</guid>
      <description>
        &lt;p&gt;
OK - these have only begun to appear since the move - is there anything that might have changed? Just checking...
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Mon, 08 Nov 2010 18:43:08 GMT</pubDate>
      <title></title>
      <link>http://localhost:8080/trac/ticket/165#comment:4</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/165#comment:4</guid>
      <description>
        &lt;p&gt;
Well, it's a Debian rather than a FreeBSD Apache and the layout of the config files is very different, but the directives should be more-or-less the same.
&lt;/p&gt;
&lt;p&gt;
I'm not sure what is causing this problem, some more feedback from the users after they have tried the suggestions on the &lt;a class="ext-link" href="http://wiki.transitionnetwork.org/Security"&gt;&lt;span class="icon"&gt;​&lt;/span&gt;http://wiki.transitionnetwork.org/Security&lt;/a&gt; wiki page would be good to have.
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>ed</dc:creator>

      <pubDate>Mon, 08 Nov 2010 18:52:25 GMT</pubDate>
      <title></title>
      <link>http://localhost:8080/trac/ticket/165#comment:5</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/165#comment:5</guid>
      <description>
        &lt;p&gt;
will do...
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Tue, 09 Nov 2010 00:04:56 GMT</pubDate>
      <title>hours, totalhours changed</title>
      <link>http://localhost:8080/trac/ticket/165#comment:6</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/165#comment:6</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;hours&lt;/strong&gt;
                changed from &lt;em&gt;0.0&lt;/em&gt; to &lt;em&gt;2.5&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;totalhours&lt;/strong&gt;
                changed from &lt;em&gt;0.5&lt;/em&gt; to &lt;em&gt;3.0&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
        &lt;p&gt;
I have gone over all the SSL settings again and there was one missing compared to on gaia, &lt;a class="ext-link" href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile"&gt;&lt;span class="icon"&gt;​&lt;/span&gt;SSLCACertificateFile&lt;/a&gt; and &lt;a class="ext-link" href="http://wiki.gandi.net/en/hosting/using-linux/tutorials/ubuntu/ssl"&gt;&lt;span class="icon"&gt;​&lt;/span&gt;the gandi.net documentation&lt;/a&gt; suggests it should be used, but it's for &lt;em&gt;client&lt;/em&gt; certificates, something we are not using, so I think perhaps their documentation is at fault and the directive that might help is instead is the &lt;a class="ext-link" href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile"&gt;&lt;span class="icon"&gt;​&lt;/span&gt;SSLCertificateChainFile&lt;/a&gt; directive so this has been added (see &lt;a class="wiki" href="http://localhost:8080/trac/wiki/NewLiveServer#apache"&gt;wiki:NewLiveServer#apache&lt;/a&gt;) and it points to the whole chain of certs (all in one gandi.pem file).
&lt;/p&gt;
&lt;p&gt;
This difference this seems to make is, where as the &lt;a class="wiki" href="http://localhost:8080/trac/wiki/SecurityInfo#ChecktheSSLcertonthecommandline"&gt;wiki:SecurityInfo#ChecktheSSLcertonthecommandline&lt;/a&gt; had this chain for the gaia server:
&lt;/p&gt;
&lt;pre class="wiki"&gt;Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
   i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
&lt;/pre&gt;&lt;p&gt;
We now have:
&lt;/p&gt;
&lt;pre class="wiki"&gt;Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
   i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
&lt;/pre&gt;&lt;p&gt;
The only other difference with the FreeBSD settings is that on the old server the allowed ciphers was different:
&lt;/p&gt;
&lt;pre class="wiki"&gt;SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:+EXP:+eNULL:+SSLv3:+TLSv1
&lt;/pre&gt;&lt;p&gt;
Where as the new server has the Debian defaults:
&lt;/p&gt;
&lt;pre class="wiki"&gt;SSLCipherSuite HIGH
SSLProtocol all -SSLv2
&lt;/pre&gt;&lt;p&gt;
If users still have a problem I could try the previous setting to see if this is the cause of the problem, but I don't think there is much real difference here.
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Tue, 09 Nov 2010 00:16:55 GMT</pubDate>
      <title></title>
      <link>http://localhost:8080/trac/ticket/165#comment:7</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/165#comment:7</guid>
      <description>
        &lt;p&gt;
Or it could simply be because the users have the wrong date on their computer and it thinks that either the cert is only valid in the future (say if their clock is set to 2000) or in the past (say if their clock is set to 2020), see &lt;a class="ext-link" href="http://support.mozilla.com/tiki-view_forum_thread.php?locale=si&amp;amp;comments_parentId=438072&amp;amp;forumId=1"&gt;&lt;span class="icon"&gt;​&lt;/span&gt;this&lt;/a&gt; and &lt;a class="ext-link" href="http://www.justanswer.com/questions/3nq7g-you-have-asked-firefox-to-connect-securely-to-www-google-com"&gt;&lt;span class="icon"&gt;​&lt;/span&gt;this&lt;/a&gt;.
&lt;/p&gt;
&lt;p&gt;
I suspect &lt;em&gt;this&lt;/em&gt; might be the answer after all that! D'oh!
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Wed, 10 Nov 2010 14:11:20 GMT</pubDate>
      <title>status changed; resolution set</title>
      <link>http://localhost:8080/trac/ticket/165#comment:8</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/165#comment:8</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;status&lt;/strong&gt;
                changed from &lt;em&gt;new&lt;/em&gt; to &lt;em&gt;closed&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;resolution&lt;/strong&gt;
                set to &lt;em&gt;invalid&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
        &lt;p&gt;
I think this is closed unless someone with the right date on their computer and also with the &lt;a class="ext-link" href="http://crt.gandi.net/GandiStandardSSLCA.crt"&gt;&lt;span class="icon"&gt;​&lt;/span&gt;Gandi root certificate installed&lt;/a&gt; has a problem.
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>ed</dc:creator>

      <pubDate>Wed, 10 Nov 2010 14:31:28 GMT</pubDate>
      <title></title>
      <link>http://localhost:8080/trac/ticket/165#comment:9</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/165#comment:9</guid>
      <description>
        &lt;p&gt;
yup - i'm awaiting replies from the punters...
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item>
 </channel>
</rss>