Comodo PositiveSSL setup problem.

I’ve read a lot of forums and the Comodo instructions over and over, but I can’t get firefox to accept my SSL certificate. I keep getting, (Error code: sec_error_unknown_issuer). Chrome and IE8 work fine, but firefox and the chrome mobile browser just don’t like it. I’m pretty sure it has something to do with the ca.bundle and that I’m just setting something up wrong.

Here’s what I’m working with:
- Ubuntu / apache server

Comodo PositiveSSL
- AddTrustExternalCARoot.crt
- domain_com.crt
- PositiveSSLCA.crt
- UTNAddTrustServerCA.crt

<VirtualHost>
SSLEngine on
SSLCACertificatePath /etc/apache2/sslcerts/
SSLCertificateKeyFile /etc/apache2/sslcerts/domain.key
SSLCertificateFile /etc/apache2/sslcerts/domain.crt
SSLCertificateChainFile /etc/apache2/sslcerts/domain.ca-bundle
</VirtualHost>

What exactly should be in the domain.ca-bundle and in what order? I’ve tried so many different combinations of the order in the domain.ca-bundle, but no luck. I keep reading about intermediate/chain certificate and that it must be missing or I just don’t have it setup properly. Any help would be greatly appreciated, thanks!

_________________
I'm completely new to the LAMP stack.

Maybe you disabled their CA certificate in Firefox back when they had that security incident a couple years ago?

_________________
Matt Nordhoff (aka Peng on IRC)

The sslcertificatechain file needs to be the comodointermediate certificate, not the root ca. Looking at your post it might be you are referencing the root ca not the chain certifictate.

Update: I was issued a new certificate from Comodo support. The email I received from Comodo had a domain.ca-bundle file and domain.crt file. Inside the domain.ca-bundle file it appears to have the PositiveSSLCA.crt stacked on top of the UTNAddTrustServerCA.crt. I believe those are the intermediate certificates. Unfortunately every SSL checker that I use still says there is an issue with the certificate chain so I'm stilling plugging away at trying to find the correct solution.

_________________
I'm completely new to the LAMP stack.

It sounds still like your not referencing the correct chain certificate. If you can provide your hostname are I can test and provide you with what you need to do. Quite often you need to put the 3 certificates into one file, ie the server certificate file.

UPDATE: Good news, I got it working! Bad news, not entirely sure why. I copied a .ca-bundle from another one of my domains (don't know why I didn't think of this sooner...) that also uses a Comodo PositiveSSL certificate and it worked. I had been creating the .ca-bundle inside of notepad then pasting it into the file through putty so I suspect it was a formatting issue (maybe a trailing space or something I have no clue). After I pasted it in I'd go back through the file and fix the formatting, but something still must not have been correct. Has anyone had this happen to them, any suggestions how I might have prevented this to begin with?

For anyone with a Comodo PositiveSSL certificate the .ca-bundle in order from top to bottom that is working for me is: AddTrustExternalCARoot.crt, UTNAddTrustServerCA.crt, PositiveSSLCA.crt

_________________
I'm completely new to the LAMP stack.

I can't help with the certificate question, but you're correct that formatting may have gotten munged in the cut-and-paste process. Use SCP to copy files between your home system and your Linode. PuTTY comes with pscp, which works fine. Graphical file transfer client options for Windows include WinSCP and Filezilla.