Jump to content
Mumble forums

StartSSL changes since last howto


Glowsome
 Share

Recommended Posts

Just a heads up from someone who is using murmur and is using a StartSSL certificate(s)


Just a few days ago i refreshed my server certificate according to the tutorial as written on https://wiki.mumble.info/wiki/Obtaining_a_StartCom_Murmur_Certificate to find out that its not working as expected.

In awaiting my 'wiki' authorisation to change the article i wanted to just vent out the things i have encountered ( and solved)


first of all in the article it gets the intermediate certificate and then cat's it to the signed certificate ..


The certificate to be obtained is not the one listed, as its depreciated .. the (intermediate) certificate to wget is now :

wget --no-check-certificate https://startssl.com/certs/sca.server1.crt

 

After grabbing that simply rename it to sub.class1.server.ca.pem , and use it for the rest of the howto as described.


Next to that, i also had to refresh my own client certificate as it was due to expire.

So i replaced it to then find out it was no longer being accepted by my server :

 

<23:(-1)> SSL Error: The root CA certificate is not trusted for this purpose
<23:(-1)> SSL Error: No certificates could be verified
<23:(-1)> Connection closed:  [-1]

 

It turns out that for client-verification StartSSL now uses a different intermediate CA.


The solution to this is adding the (new) intermediate Client CA https://startssl.com/certs/sca.client1.crt

to the ssl_mumble_concat.crt itself.


To do so do the following after you've cat'ed the certificate with the intermediate CA (as described above)

 

wget --no-check-certificate https://startssl.com/certs/sca.client1.crt
cat sca.client1.crt >> ssl_mumble_concat.crt

 

After having done this follow the Howto as described to point to the correct files.


sidenote is i'm a beginner linux person, so proppably some steps can be shortened with more understanding, but this worked for me... if you have improovements please post them back, cause i am a learning person.


- Glowsome

Link to comment
Share on other sites

  • Moderators

Thanks for your contribution!


Do you mean to say that you need two intermediate certs cat-ed into the cert file?


(We should probably actually change those instructions, Mumble has a sslCA configuration parameter specifically for intermediate cert bundles, and would make updating certificates one or two steps simpler - assuming they don't change the intermediate certs by next time)


If you wanted to make changes to the Wiki yourself, post your Wiki username here (or PM me it) and I'll ask the people in charge to get you approved ASAP. If not, I'll work out what the instructions should say in the next couple of days and update them (all the cool kids are using LetsEncrypt now, haha).

Full disclosure: I used to run a commercial Mumble host, and my opinions do not reflect the opinions of the Mumble project.

Avatar is stolen from here

Link to comment
Share on other sites

Thanks for your contribution!


Do you mean to say that you need two intermediate certs cat-ed into the cert file?

Yes thats exactly what i meant.

 

all the cool kids are using LetsEncrypt now, haha

i havent looked into that part any howto's you could point me to ?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...