Today I came across distinct problem of Valid SSL on Apache not accepted by mobile clients. I got a system where valid SSL certified was deployed and mod_jk was enabled - in spite of that mobile clients (especially android default browser) were unable to access the site. Initially I checked various following stuff on server:
1. Whether given certificate is really valid or not - To validate I clicked on left side (lock icon) address bar and checked with certificate details, found its signed by authorized CA and valid as well.
2. I checked the location of following certificate files on server: server.crt and private key file
3. I checked if I can access site from different browser from my laptop and if any browser complains - that was also fine.
4. I also checked whether site is accessible from other mobile browsers (eg. Opera mini on Android) - that was also fine.
5. At last I want to check configuration information in httpd.conf and httpd-ssl.conf (this names may differ based on server configuration - sometimes tomcat.conf) - and I realized that ServerCertificateChainFile was missing. Out of 3 main files configuration only first 2 were in correct place. I kept the 3rd file also in place and everything went smooth like candy....
SSLCertificateFile (Server Certificate - .crt file)
SSLCertificateKeyFile (Server Private Key - .key file)
SSLCertificateChainFile (Server Certificate Chain - .crt file)
To verify whether given domain holds valid ssl or not - usefull tool provided by Verisign: https://ssl-tools.verisign.com/#certChecker
Lession Learnt: Other browsers like Firefox and Chrome will be able to access it smoothly without bothering about SSLCertificatChainFile but - especially mobile browsers will look for whole chain to be in correct place.
1. Whether given certificate is really valid or not - To validate I clicked on left side (lock icon) address bar and checked with certificate details, found its signed by authorized CA and valid as well.
2. I checked the location of following certificate files on server: server.crt and private key file
3. I checked if I can access site from different browser from my laptop and if any browser complains - that was also fine.
4. I also checked whether site is accessible from other mobile browsers (eg. Opera mini on Android) - that was also fine.
5. At last I want to check configuration information in httpd.conf and httpd-ssl.conf (this names may differ based on server configuration - sometimes tomcat.conf) - and I realized that ServerCertificateChainFile was missing. Out of 3 main files configuration only first 2 were in correct place. I kept the 3rd file also in place and everything went smooth like candy....
SSLCertificateFile (Server Certificate - .crt file)
SSLCertificateKeyFile (Server Private Key - .key file)
SSLCertificateChainFile (Server Certificate Chain - .crt file)
To verify whether given domain holds valid ssl or not - usefull tool provided by Verisign: https://ssl-tools.verisign.com/#certChecker
Lession Learnt: Other browsers like Firefox and Chrome will be able to access it smoothly without bothering about SSLCertificatChainFile but - especially mobile browsers will look for whole chain to be in correct place.
No comments:
Post a Comment