1100433 - checkout.durabrac.com doesn't send the full cert chain

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect)

Description

[andrew]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2221.0 Safari/537.36

Steps to reproduce:

Visit https://checkout.durabrac.com


Actual results:

Site doesn't load and gives the "This Connection is Untrusted" warning. See more info at http://cl.ly/image/45182B3p0b2C


Expected results:

Connection should be verified, just like in Chrome/IE/Safari.

Comment 1

[Boris Zbarsky [:bzbarsky]]

The site doesn't seem to be sending the full cert chain, at first glance.

Comment 2

[andrew]

(In reply to Please do not ask for reviews for a bit [:bz] from comment #1)
> The site doesn't seem to be sending the full cert chain, at first glance.

It's sending the primary root, intermediate, and then the final SSL123.

Comment 3

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

(In reply to andrew from comment #2)
> (In reply to Please do not ask for reviews for a bit [:bz] from comment #1)
> > The site doesn't seem to be sending the full cert chain, at first glance.
> 
> It's sending the primary root, intermediate, and then the final SSL123.

I'm not seeing the intermediate or root either - just the end-entity certificate.

Comment 4

[andrew]

I'm taking another look at the server's config, but you can view the full hierarchy in any other browser if you want to compare.

Comment 5

[andrew]

It seems that the CPanel is bugged out and won't install the CA Bundle.

Comment 6

[:Cykesiopka]

https://www.ssllabs.com/ssltest/analyze.html?d=checkout.durabrac.com suggests that the intermediate is now sent.

I can also connect successfully using a fresh profile and my normal dirty profile on Aurora 37.