Which cert attributes did you change and what did you fill instead? Copy/paste your mineos.conf and we can try to make more sense of it (this isn’t any security hazard to sharing mineos.conf).
Unfortunately, the error you provided initially I’m not sure how to use to full effect. For example, I was able to successfully install a wildcard certificate with only the following changes:
That doesn’t mean that you shouldn’t be using the SSL cert chain, but it also tels me that the certificates required–chained or not–is more specific than the general knowledge I have of setting up SSLs.
Who issued your cert and what kind was it? Perhaps the issuer has some documentation on how it’d be set up in Apache, etc. and then I can translate that into the corresponding config for CherryPy.
Though I feel like I could probably figure it out in a minute with guess and check, since sharing keys/certificates is not something you do, I can only recommend what I think would be the best approaches.
For starters, from what I’ve read, pem files are certificates and keys, whereas that’s probably not what you’re trying to include–just the key. So, I’d probably start out with splitting that data out.
openssl x509 -outform der -in sub.class1.server.ca.pem -out a_new_cert_file.crt
From there, I’d actually ignore the ‘chain’ part of the instructions and instead match up the ca portion from the filename to the ca part that’s in the ca_certificate config line. That way you’d have files that correspond with a known-working configuration that I used.
I’m using the StartSSL certificate and was using their wizard on the site. I deleted the certificates and keys and started over new. This time I created the csr on the server and not with their wizard. And I’ve skipped the root and ca certificates and only using cert.crt and cert.key and it’s working fine now. Seems to be some problem with their key while using their online wizard.
But I don’t know if the following error is because of CherryPy?
I can’t be certain. All the times I’ve ever installed an SSL in CherryPy it’s been with a wildcard cert where I required all three fields in the config: it may differ for different certs, but I cannot say for sure. If the browser is reporting the certificate is secure, on the other hand, it’s likely doing just fine in CherryPy.
Regarding that error, however, do you think that’s related to this Chrome issue? I’m guessing you’re on Chrome 40 now–if so, it might very likely be Cherrypy and I’ll have to see what we can do. After all, because of SSL issues, Cherrypy cannot be updated to 3.3.x because of bugs introduced by 3.2.5/3.3.0 that don’t exist in 3.2.3, but maybe they have it fixed by now.
You may be seeing the message
"Your connection to example.com is encrypted with obsolete cryptography."
or
"The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."
This usually means that the connection to the current website is using an outdated ciphersuite.
SSLv3 is being disabled in Chrome at the start of 2015, due to the POODLE attack. See Adam Langley’s announcement.
SHA-1 is deprecated in Chrome at the start of 2015.
Certificates expiring in 2016 will be marked as “secure, but with minor errors”.
Certificates expiring in 2017 are later will be treated as “affirmatively insecure”.
Read the official blog post announcement for more details.is currently still supported in Chrome.
MD5 is disabled for certificate signatures.
It is still permitted for message authentication in the HMAC-MD5 construction (which does not depend on collision resistance).
