Jump to content

Certificate errors


Bela
 Share

Recommended Posts

I have looked through the forums, but this does not seem to have been answered.

 

I have tried to install a private key, plus an SSL certificate form two CAs (Startcom and Geotrust), but no matter what after I install it as a server certificate, I get an SSL error, and cant connect to the PBX web server securely until i delete the cert.

The error is different depending on the browser, but none of them work.

 

The cert is 2048 bit, as its not possible to get any lower ones.

 

I installed the cert and the intermediary cert, and the private key.

The Trusted root CA is there for both Geotrust and Startcom.

 

Any ideas?

Thanks in advance.

 

Bela

Link to comment
Share on other sites

Please use only 512 and 1024 bit certificates. The system currently has trouble handling certificates with other sizes. The security and the performance on these certificates is still reasonable.

 

Thats incorrect. snom ONE can deal with 2048 bits.

 

You need to install that as server cert, and you must include the private key as well (everything base64 encoded). if you import a certificate chain, make sure that the Root CA is at the top and the intermediate right below it. You should see that also in the wireshark trace then.

Link to comment
Share on other sites

Thats incorrect. snom ONE can deal with 2048 bits.

 

You need to install that as server cert, and you must include the private key as well (everything base64 encoded). if you import a certificate chain, make sure that the Root CA is at the top and the intermediate right below it. You should see that also in the wireshark trace then.

 

Well, yes, its impossible to buy a signed SSL certificate from a trusted CA bellow 2048 bits since long time ago...

 

On the other note, I have tried everyting, but I get the same errors.

 

When adding to Snome One, in the certificate field, I entered the Web Server certificate, empty line, then the Root CA from Geotrust, empty line, then the Intermediary CA from Geotrust.

In the private key section, i enter the private key.

I add it as a server certificate chain+private key.

I see the domain name in the certificate list.

 

But when I try to acess the admin web via https I get the errors...:(

 

Bela

Link to comment
Share on other sites

I believe you are almost there... Because it is a chain, I would use the Web Server certificate, empty line, then the Intermediary CA from Geotrust, then the Root CA from Geotrust. Empty lines dont matter, just make sure that the ---BEGIN CRETIFICATE----- and ----END CERTIFICATE---- are there.

Link to comment
Share on other sites

Thats incorrect. snom ONE can deal with 2048 bits.

 

You need to install that as server cert, and you must include the private key as well (everything base64 encoded). if you import a certificate chain, make sure that the Root CA is at the top and the intermediate right below it. You should see that also in the wireshark trace then.

 

 

http://wiki.snomone.com/index.php?title=Certificates

Will have to change this information on the wiki. Thanks B)

Link to comment
Share on other sites

I believe you are almost there... Because it is a chain, I would use the Web Server certificate, empty line, then the Intermediary CA from Geotrust, then the Root CA from Geotrust. Empty lines dont matter, just make sure that the ---BEGIN CRETIFICATE----- and ----END CERTIFICATE---- are there.

 

I think I already tried in this order, but nevertheless I did it again...

Same error...:(

 

In chrome:

SSL connection error

Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

 

In Firefox:

Secure Connection Failed

 

 

An error occurred during a connection to sip.xxxxxxx.com:xxxx.

 

SSL received a record with an incorrect Message Authentication Code.

 

(Error code: ssl_error_bad_mac_read)

 

Internet Explorer doesnt even connect...

 

This all happens if I add it as a Server Certificate Chain+key.

If I add it as a Domain Certificate chain, Snom One doesnt even use it, although the domain in the cert matches the domain of snom one, but instead presents the "Snom One Intermediate" certificate for https traffic...

Link to comment
Share on other sites

Maybe you can give us a PCAP trace and the certificates in Base64 format (just send a private message). It seems there is something wrong with the certificate chain representation in the TLS stream.

 

You mean, that I should capture the IP packets?

I guess if you have the certs, and install them in a Snom One, you will have the same problem.

And since this happens with two certification authorities, I assume its something in the Snom ONE.

Nevertheless, I can send you the certs in PM, but then I would have to send you the private key as well? :)

 

Bela

Link to comment
Share on other sites

  • 6 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...