SSL certificate chain resolver (opens in new tab)

(github.com)

41 pointszakjan11y ago16 comments

16 comments

16 comments · 6 top-level

laurencei11y ago· 4 in thread

Useful script.

A related post worth reading is "Getting an A+ on Qualy's SSL Labs Tester" - https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-t...

Previous HN discussion: https://news.ycombinator.com/item?id=8749931

nadams11y ago

That is what I suspected - in order to get an "A+" you have to recompile the web server (the article is for nginx but the same idea applies to Apache). I'm not saying this is a difficult process - but not something I want to do on a production system.

While, distro maintainers usually do a great job of maintaining software - I think it does highlight a certain need for another way to easily install bleeding edge without adding a whole other repo (which could contain/override versions of other software you may not want). You can always rpm/dpkg an individual package - but now your version will never been updated by the package manager, well by yum update/apt-get upgrade anyways (or even worse overwritten).

iancarroll11y ago

No. If you force HSTS it raises an A to an A+, which requires no recompiling.

Do PPAs not fit your use case?

nadams11y ago

Upon further research it looks like recompiling may no longer be needed. I remember awhile back some feature in a newer version of Apache - however I may be confusing that with my Ubuntu 10.04 (most of my other systems run Debian Wheezy).

In any case - PPAs are a patch for the problem not a solution (and specific to Ubuntu). PPAs require third-party support and if a security issue is found and he (or they) are on vacation - your custom version of Apache is vulnerable. It's not a big issue for something like Wine, but I would just have a warm fuzzy feeling if the security team behind the distro supported it.

I'm even guilty of using random debs however I always check for red flags and go with my gut feeling. I have worked with a group of Linux people who refused to install packages I wanted from the Red-Hat community repos onto the servers (though they would freely install packages they wanted...)

jayess11y ago

Thank you for that A+ link, it's very useful.

est11y ago· 2 in thread

SSL is hard not only because the pricing barrier, but also setup hassle like these. Thanks OP!

Tortoise11y ago

These people will sell you a cert for US$5 per year:

https://cheapsslsecurity.com/comodo/positivessl.html

If that's a barrier, I don't know what to say. Registering the domain name probably costs twice that.

est11y ago

Well, guess what, not everyone has credit card, payment methods are not available in every country.

praseodym11y ago· 2 in thread

One thing to note is that the Qualys SSL Labs test will complain if your server sends the (self-signed) root CA certificate, which will already be in the end-user's trust store. This uses unnecessary bandwidth for every TLS negotiation.

In many cases, the CA (or company you got your certificate from) will include this root cert in the chain. With most web servers it is perfectly fine to simply remove it, but I have seen applications where you cannot (VMware, which wants a complete chain ending with a self-signed cert) and where you'll have to ignore the SSL Labs warning.

zakjanOP11y ago

Yes, you are right, a root cert shouldn't be sent by server. My script doesn't append it to output, because (I hope) no intermediate certificate has AIA extension pointing to the root cert. If you find a counterexample, please file an issue, I will add a check.

iancarroll11y ago

A tangent of this is where you will get many irrelevant warnings due to compatibility chains. Comodo uses "Comodo <keytype> Certification Authority" but this has to be sent with your request as not all clients trust it, but they will trust the issuer.

peterwaller11y ago· 1 in thread

I've lost count of how many times I had to try reordering the certificates I fed to Amazon's load balancer. You get back very cryptic error messages. Which is annoying since it could almost certainly work out the order for you...

This script looks very useful, thanks :)

zakjanOP11y ago

Happy to help. Can you check if it works for you? Thanks :)

cfcf11y ago· 1 in thread

thank you very much for this! Added a pull request to fix some issues with relative paths :)

zakjanOP11y ago

Thanks for your contribution!

jpetersonmn11y ago

I just went through this issue with my first site I've used ssl on. I thought everything was all good until I visited the site on my phone and got cert errors. Took me all night to figure out how to get them in the correct order, etc... Thanks for sharing this.

j / k navigate · click thread line to collapse

16 comments