Hi guys,
I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that there is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance.
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko semion.ababo@gmail.com wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that there is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
The code is very simple.
;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code
(make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner hans.huebner@gmail.com
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko semion.ababo@gmail.com wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that
not
all the browsers accept it. After a little research I found out that
there
is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What
can
I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
forgot to attach certificates. here.
2010/9/1 Semion Prihodko semion.ababo@gmail.com
The code is very simple.
;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code
(make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner hans.huebner@gmail.com
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko semion.ababo@gmail.com wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that
not
all the browsers accept it. After a little research I found out that
there
is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What
can
I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
Please post links to the certificates, too. Thanks.
On Wed, Sep 1, 2010 at 13:58, Semion Prihodko semion.ababo@gmail.com wrote:
The code is very simple. ;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code (make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner hans.huebner@gmail.com
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko semion.ababo@gmail.com wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that there is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
I have sent them to u.
2010/9/1 Hans Hübner hans.huebner@gmail.com
Please post links to the certificates, too. Thanks.
On Wed, Sep 1, 2010 at 13:58, Semion Prihodko semion.ababo@gmail.com wrote:
The code is very simple. ;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code (make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner hans.huebner@gmail.com
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko semion.ababo@gmail.com wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out
that
not all the browsers accept it. After a little research I found out that there is another certificate must be installed. This means it's a "chain
root
certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an
interesting
function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers.
What
can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
Hi Semion,
you can put all your certificates in one file, first root, then intermediate, then your site. It should work that way
Best regargs, Vsevolod
On Wed, Sep 1, 2010 at 2:58 PM, Semion Prihodko semion.ababo@gmail.comwrote:
The code is very simple.
;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code
(make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner hans.huebner@gmail.com
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko semion.ababo@gmail.com wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that
not
all the browsers accept it. After a little research I found out that
there
is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What
can
I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
I just checked and the "chain" stuff seems to be available in LispWorks as well:
http://www.lispworks.com/documentation/lw60/LW/html/lw-442.htm
As Semion mentioned the existence of such a function in CL+SSL, it looks like it should be possible to support chained certificates in Hunchentoot in a portable way (meaning LW and the rest). So, if someone wants to send a patch...
Edi.
No, in that case I get ERR_SSL_PROTOCOL_ERROR
2010/9/1 Vsevolod Dyomkin vseloved@gmail.com
Hi Semion,
you can put all your certificates in one file, first root, then intermediate, then your site. It should work that way
Best regargs, Vsevolod
On Wed, Sep 1, 2010 at 2:58 PM, Semion Prihodko semion.ababo@gmail.comwrote:
The code is very simple.
;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code
(make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner hans.huebner@gmail.com
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko semion.ababo@gmail.com wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that
not
all the browsers accept it. After a little research I found out that
there
is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers.
What can
I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
I'm not familiar with chained certificates. How would you use your certificate with Apache for example?
Edi.
Hmm, probably like this:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile
On Wed, Sep 1, 2010 at 2:08 PM, Edi Weitz edi@agharta.de wrote:
I'm not familiar with chained certificates. How would you use your certificate with Apache for example?
Edi.
I think Apache supports adding one additional certificate. To do that you must add the following line:
*SSLCACertificateFile* cert_filename
in configuration file.
2010/9/1 Edi Weitz edi@agharta.de
I'm not familiar with chained certificates. How would you use your certificate with Apache for example?
Edi.
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
I use:
SSLCertificateFile /usr/local/etc/apache22/certs/billstclair.com.crt SSLCertificateChainFile /usr/local/etc/apache22/certs/gd_bundle.crt SSLCertificateKeyFile /usr/local/etc/apache22/certs/billstclair.com.key
billstclair.com.crt contains my certificate, signed by the GoDaddy CA. gd_bundle.crt contains the GoDaddy CA certificate and another CA certificate that signs it.
-Bill
On Wed, Sep 1, 2010 at 9:14 AM, Semion Prihodko semion.ababo@gmail.com wrote:
I think Apache supports adding one additional certificate. To do that you must add the following line: SSLCACertificateFile cert_filename in configuration file.
2010/9/1 Edi Weitz edi@agharta.de
I'm not familiar with chained certificates. How would you use your certificate with Apache for example?
Edi.
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
This is really a problem, because most of certificates that can be purchased use intermediate root certificate... really don't understand why this issue was not taken into consideration in Hunchentoot design.
2010/9/1 Bill St. Clair billstclair@gmail.com
I use:
SSLCertificateFile /usr/local/etc/apache22/certs/billstclair.com.crt SSLCertificateChainFile /usr/local/etc/apache22/certs/gd_bundle.crt SSLCertificateKeyFile/usr/local/etc/apache22/certs/billstclair.com.key
billstclair.com.crt contains my certificate, signed by the GoDaddy CA. gd_bundle.crt contains the GoDaddy CA certificate and another CA certificate that signs it.
-Bill
On Wed, Sep 1, 2010 at 9:14 AM, Semion Prihodko semion.ababo@gmail.com wrote:
I think Apache supports adding one additional certificate. To do that you must add the following line: SSLCACertificateFile cert_filename in configuration file.
2010/9/1 Edi Weitz edi@agharta.de
I'm not familiar with chained certificates. How would you use your certificate with Apache for example?
Edi.
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
On Wed, Sep 1, 2010 at 16:46, Semion Prihodko semion.ababo@gmail.com wrote:
This is really a problem, because most of certificates that can be purchased use intermediate root certificate... really don't understand why this issue was not taken into consideration in Hunchentoot design.
We're sorry to hear that Hunchentoot does not meet your requirements. We implemented the features that we need, and chained certificate support was not required by us. You are welcome to send a patch. We can also offer paid support.
-Hans
Actually I think that Hunchentoot is a great webserver, so don't take it to heart. And I very appreciate what you all guys do.
By the way the issue is solved - no patch needed. The problem was in documentation of CL+SSL:USE-CERTIFICATE-CHAIN-FILE which was not clear. After reading the appropriate OpenSSL call reference I understood that it's needed to add only a single file. In that file I need to place 2 certificates (in pem format): the website's and the following intermediate CA's. Now it's working. Thanks a lot.
2010/9/1 Hans Hübner hans.huebner@gmail.com
On Wed, Sep 1, 2010 at 16:46, Semion Prihodko semion.ababo@gmail.com wrote:
This is really a problem, because most of certificates that can be
purchased
use intermediate root certificate... really don't understand why this
issue
was not taken into consideration in Hunchentoot design.
We're sorry to hear that Hunchentoot does not meet your requirements. We implemented the features that we need, and chained certificate support was not required by us. You are welcome to send a patch. We can also offer paid support.
-Hans
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
On Wed, Sep 1, 2010 at 4:46 PM, Semion Prihodko semion.ababo@gmail.com wrote:
This is really a problem, because most of certificates that can be purchased use intermediate root certificate... really don't understand why this issue was not taken into consideration in Hunchentoot design.
This is the way open source software works. Some hackers write code they need and give it away for free, others add features they deem worthwhile, and so on. If you need something that's not in there, add it yourself or pay someone to do it for you. The general rule is: You get what you paid for...
Edi.
Hi,
I had a similar problem some time ago but no time to investigate.
I think the chain cert must be provided at a separate place in the SSL handshake. There's a special openssl function and it seems to be exported in cl+ssl:
| CL+SSL:USE-CERTIFICATE-CHAIN-FILE (certificate-chain-file) | | Loads a PEM encoded certificate chain file certificate-chain-file and | adds the chain to global context. The certificates must be sorted | starting with the subject's certificate (actual client or server | certificate), followed by intermediate CA certificates if applicable, | and ending at the highest level (root) CA.
So its probably not very hard. There was also a patch available somewhere online but it didn't work for me back then.
HTH, Steffen
-
Bill St. Clair -
Edi Weitz -
Hans Hübner -
Semion Prihodko -
Steffen Schulz -
Vsevolod Dyomkin