StartSSL changes since last howto

It crashed, it is bugged, ...

StartSSL changes since last howto

Postby Glowsome » Sun Jun 26, 2016 11:33 pm

Just a heads up from someone who is using murmur and is using a StartSSL certificate(s)

Just a few days ago i refreshed my server certificate according to the tutorial as written on https://wiki.mumble.info/wiki/Obtaining_a_StartCom_Murmur_Certificate to find out that its not working as expected.
In awaiting my 'wiki' authorisation to change the article i wanted to just vent out the things i have encountered ( and solved)

first of all in the article it gets the intermediate certificate and then cat's it to the signed certificate ..

The certificate to be obtained is not the one listed, as its depreciated .. the (intermediate) certificate to wget is now :
Code: Select all
wget --no-check-certificate https://startssl.com/certs/sca.server1.crt


After grabbing that simply rename it to sub.class1.server.ca.pem , and use it for the rest of the howto as described.

Next to that, i also had to refresh my own client certificate as it was due to expire.
So i replaced it to then find out it was no longer being accepted by my server :

Code: Select all
<23:(-1)> SSL Error: The root CA certificate is not trusted for this purpose
<23:(-1)> SSL Error: No certificates could be verified
 <23:(-1)> Connection closed:  [-1]


It turns out that for client-verification StartSSL now uses a different intermediate CA.

The solution to this is adding the (new) intermediate Client CA https://startssl.com/certs/sca.client1.crt
to the ssl_mumble_concat.crt itself.

To do so do the following after you've cat'ed the certificate with the intermediate CA (as described above)

Code: Select all
wget --no-check-certificate https://startssl.com/certs/sca.client1.crt
cat sca.client1.crt >> ssl_mumble_concat.crt


After having done this follow the Howto as described to point to the correct files.

sidenote is i'm a beginner linux person, so proppably some steps can be shortened with more understanding, but this worked for me... if you have improovements please post them back, cause i am a learning person.

- Glowsome
Glowsome
 
Posts: 3
Joined: Sun Jun 26, 2016 11:07 pm

Re: StartSSL changes since last howto

Postby fwaggle » Mon Jun 27, 2016 9:08 am

Thanks for your contribution!

Do you mean to say that you need two intermediate certs cat-ed into the cert file?

(We should probably actually change those instructions, Mumble has a sslCA configuration parameter specifically for intermediate cert bundles, and would make updating certificates one or two steps simpler - assuming they don't change the intermediate certs by next time)

If you wanted to make changes to the Wiki yourself, post your Wiki username here (or PM me it) and I'll ask the people in charge to get you approved ASAP. If not, I'll work out what the instructions should say in the next couple of days and update them (all the cool kids are using LetsEncrypt now, haha).
Full disclosure: I used to run a commercial Mumble host, and my opinions do not reflect the opinions of the Mumble project.
Avatar is stolen from here
User avatar
fwaggle
Team member
Team member
 
Posts: 218
Joined: Tue Oct 06, 2009 10:40 pm
Location: Australia

Re: StartSSL changes since last howto

Postby Glowsome » Mon Jun 27, 2016 9:21 am

fwaggle wrote:Thanks for your contribution!

Do you mean to say that you need two intermediate certs cat-ed into the cert file?

Yes thats exactly what i meant.

fwaggle wrote:all the cool kids are using LetsEncrypt now, haha

i havent looked into that part any howto's you could point me to ?
Glowsome
 
Posts: 3
Joined: Sun Jun 26, 2016 11:07 pm


Return to Technical

Who is online

Users browsing this forum: No registered users and 3 guests

cron