Certificate not secure

This forum is dedicated to everything related to the StartCom Certification Authority, including installation issues and questions surrounding SSL certificates.
T-J
Posts: 1
Joined: Wed Feb 15, 2017 7:51 am

Certificate not secure

Postby T-J » Wed Feb 15, 2017 7:57 am

Hi!
In google chrome it is shown to me that the certificate is not valid.
zert.PNG
zert.PNG (2.3 KiB) Viewed 3701 times


Why is the valid certificate not shown to me as safe?

Regards

ybnrml86@gmail.com
Posts: 2
Joined: Wed Feb 15, 2017 1:19 pm

Re: Certificate not secure

Postby ybnrml86@gmail.com » Wed Feb 15, 2017 1:22 pm

I have the same issue just on Chrome. Used some of the SSL Checker sites out there and they verified that all is well.

I am using a Beta version of chrome though so that might be part of it problem. IE, Edge, Firefox are all showing OK.
Version 57.0.2987.37 beta (64-bit)

My site
https://citrix.anthonyagro.com

ybnrml86@gmail.com
Posts: 2
Joined: Wed Feb 15, 2017 1:19 pm

Re: Certificate not secure

Postby ybnrml86@gmail.com » Wed Feb 15, 2017 2:33 pm

Looks to be an intentional move by google.

https://security.googleblog.com/2016/10 ... rtcom.html
"Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trust"

Same for Mac
https://support.apple.com/en-us/HT202858
"Apple products will block certificates from WoSign and StartCom root CAs if the "Not Before" date is on or after 1 Dec 2016 00:00:00 GMT/UTC."

s.gostev@marvel.kz
Posts: 2
Joined: Fri Mar 03, 2017 4:52 am

Re: Certificate not secure

Postby s.gostev@marvel.kz » Fri Mar 03, 2017 4:57 am

Hello,
I have some problems with Chrome, Opera & Safari
How can I fix it? It big problem for me.

frederick.henderson@meos.ch
Posts: 1
Joined: Mon Mar 13, 2017 6:06 pm

Re: Certificate not secure

Postby frederick.henderson@meos.ch » Mon Mar 13, 2017 6:15 pm

It looks like at this point you can only replace the SSL Certificate with one from another company. There is no sign that Google Chrome or Fire Fox will be trusting StartCom certificates any time in the near future. Try Let's Encrypt if you are looking for free single domain certificates. These are only good for a maximum of three months but in many web hosting control panels it is possible to automate the generation and installation of these domain SSL certificates. If you need SSL Certificates with validation or wildcards then you will need to find another SSL Certificate company.

neilgunton
Posts: 7
Joined: Wed Mar 15, 2017 4:48 am
Location: Albany, OR
Contact:

Re: Certificate not secure

Postby neilgunton » Wed Mar 15, 2017 4:53 am

I develop and run a collection of community sites that are segmented by subdomain. Also, these subdomains can be arbitrary and dynamic. So, I really value the ability to create single certs with StartSSL that have many alt names, and wildcards. As far as I know, this is the only company that does this for a low flat fee. I just started getting feedback from my users that they are starting to see the "untrusted certificate" error, and research led me to discover that StartSSL had been acquired by WoSign, a Chinese company. Also, both Mozilla and Google are dropping their trust of these certificates. This is really bad news, does anybody have any information on when this will be fixed? If not, why not? How can they run a cert company that isn't trusted by the major browsers?

If it's not on the cards, then does anybody know of a company that does what StartSSL does (i.e. multiple alt names on one cert, plus wildcards, for reasonable flat fee)? I need to fix this soon.

I'm really sad that apparently StartSSL got bought out. Why does that always have to happen to the good small companies. Oh well.

Or, if there's somewhere else I should be posting, apologies in advance.

Thanks

Neil

neilgunton
Posts: 7
Joined: Wed Mar 15, 2017 4:48 am
Location: Albany, OR
Contact:

Re: Certificate not secure

Postby neilgunton » Thu Mar 16, 2017 10:30 pm

Since my post I have discovered how StartSSL is handling this. Basically you have to do a Class 3 OV (organization verification, I assume), which means you have to be incorporated as a company, or equivalent. There doesn't seem to be any charge from StartSSL for doing the Class 3 OV verfification, though you do have to send them various forms of proof of identity. Also, I wasn't incorporated, but it was quick and easy to do that online with the State of Oregon where I am. Took about 10 minutes to register as a LLC, and $100, and done. You are even in the online business database immediately, which is refreshingly cool for a government operation. Then you give StartSSL your Articles of Organization (just a pdf I got from Oregon, in my case), and maybe a photo or two of your passport and yourself holding the passport etc. All pretty standard stuff that I've been through before with these guys when I got my original cert, so I wasn't too worried about it. StartSSL has far and away the cheapest and most flexible multiple domain / wildcard certs on the market, bar none, so it's worth imho jumping through a few hoops for them. Especially if it's security related, to me that just says they take it seriously, which is a Good Thing.

So anyway, I got my LLC set up, got verified by StartSSL for Class 3 OV, then all I had to do was go in and create my certificate as usual. Still no charge, since they are not charging for certs at the moment while they are having their problem with the browser trust issue. Then, and this is the crucial step, you have to contact them (I did it through their chat option, since it's more real time) and ask them to give you a cert from Camerfirma. They are doing this because they have some sort of deal with Camerfirma, and that is a CA which will be trusted by all the major browsers. What they do is pass along the cert you defined in the StartSSL web interface to Camerfirma, and then they send you back the cert via email. First, you have to recharge your StartSSL account with $120 to cover that process, but it gives you the combination of the flexibility of StartSSL (wildcards + multiple domains in one cert, important to me) with the trust of the Camerfirma CA.

Right now I am at the point where I have made the cert and paid the money, and been in touch with StartSSL, and they have passed it off to Camerfirma, so I am waiting for the final cert. Hopefully it'll work just like the StartSSL ones do, and cover all my sites with one cert.

If it does work, then it means you don't have to go elsewhere, as long as you're able to be a business and pay $120 then you can get all the benefits of the StartSSL certs, but without the trust issue. It may not be the same everywhere, but here in Oregon the registration of an LLC was absurdly simple and quick, and my tax accountant tells me it won't complicate the way I take donations from my website - I have been doing business as myself up to now, and apparently that won't really have to change in any meaningful way. I won't have to mess with stupid stuff like payroll or whatever, which is nice.

Anyway, just thought I'd post that update. Hope it all works, I'll post another update when I have the cert working.

Neil

neilgunton
Posts: 7
Joined: Wed Mar 15, 2017 4:48 am
Location: Albany, OR
Contact:

Re: Certificate not secure

Postby neilgunton » Fri Mar 17, 2017 7:39 pm

Update: Just got the new Camerfirma cert from StartCom, installed it on my server (along with the intermediate and root certs, which they also sent me), and it works great. It's obviously a temporary solution, but the cert is still good for 2 years and hopefully by then StartSSL will have their problems resolved with the major browsers.

So, if you are having problems with browsers giving "untrusted" warnings with your StartSSL certs, then the solution seems to be:

1. Register as an organization - here in the USA, even a basic LLC was sufficient, as long as you get the Documents of Organization and can be found in whatever online business search database exists for your state. This might be a non-issue for those who are already companies, but for an indvidual like me it was an additional step. After talking with my tax accountant, she told me that the LLC would have the least impact on how I do business.

2. Go to StartSSL and do their Class 3 OV process. You'll probably have to send them your documentation for the company/LLC, as well as photos of yourself and your passport, driver license etc. This was unnerving when I first did it, but now I know StartCom is not some scam I'm ok with it. Just security measures, and good to know they take it kinda seriously.

3. Once you have your Class 3 OV completed, then you go create your certificate as you normally would in the StartSSL website interface.

4. Recharge your StartSSL account with $120

5. Contact StartSSL (chat is most real-time) and tell them you would like to get the Camerfirma cert. They will contact you same or next day with the cert. It doesn't seem to be automatically available under the Toolbox, as the regular StartSSL certs are, in my case the customer service rep sent it to me over the chat interface. They also send the intermediate and root certs, and I just put all of them into the same file for ease of installation on Apache.

That's it! Surprisingly, it all worked first time, and now my websites work again with browsers like the latest Chrome 57.

Hope this is useful to others... it was giving me headaches trying to figure out how I would fix this, but thankfully StartCom have a pretty ok workaround in place until they get the underlying problems fixed. Hopefully that'll be within two years. I think it's worthwhile sticking with them, since they really do have the best prices I have seen for having a large number of alt name domains on one cert, as well as wildcards, not to say unlimited ability to create certs once you are verified. I'm not shilling for them, I have no connection at all, just relaying what I've found fwiw.

Neil

p.s. I should also note that the $120 only gets you ONE of the Camerfirma certs, so it's probably best to list as many of your domains and wildcards on the one cert as possible, otherwise additional Camerfirma certs cost (I think) something like $30 after the initial $120 one. I could be wrong on that, though, so obviously check first with StartCom to see what the deal is there if you need multiple certs.

Jacob
Posts: 1
Joined: Wed Mar 22, 2017 6:39 am

Re: Certificate not secure

Postby Jacob » Wed Mar 22, 2017 6:44 am

Hi Neil,

Thank you for the detailed explanation and the procedure to be taken. Quite helpful.

dave@beefydog.com
Posts: 1
Joined: Sun Apr 09, 2017 4:31 pm

Re: Certificate not secure

Postby dave@beefydog.com » Sun Apr 09, 2017 4:37 pm

ybnrml86@gmail.com wrote:Looks to be an intentional move by google.

https://security.googleblog.com/2016/10 ... rtcom.html
"Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trust"

Same for Mac
https://support.apple.com/en-us/HT202858
"Apple products will block certificates from WoSign and StartCom root CAs if the "Not Before" date is on or after 1 Dec 2016 00:00:00 GMT/UTC."



That would explain why a lot of mine work just fine, but any newer ones do not.
Thanks. I've found that Register.com SSL certs work just fine on their low price certs w/o an organization (and associated hoopla) - so, if this is the reason for Google, Apple and other browser vendors to reject StartSSL certs, then, it's clearly not working.


Return to “SSL Certificate”