*.appspot.com certificate chain in Chrome, Safari and IE

[Carlos Rodrigues]

Hi all,

I'm developing a small application on GAE that requires HTTPs, however
I'm having some trouble with the "*.appspot.com" certificate.

O Chrome, Safari and IE on Windows I get a certificate validation
error. This error appears to be related to the certificate validation
path, because the topmost authority is "Google Internet Authority" and
show as "Not found".

On Firefox there is no error, and the certificate chain correctly
shows Equifax as the root CA and "Google Internet Authority" as an
intermediate CA.

On the Mac both Firefox and Safari work without showing any errors.

Is there a way around this? I can't expect users to trust the
application if they get a certificate error on Windows in every
browser except Firefox.

So a summary of tested browsers:

* Internet Explorer 8 (Windows): error
* Safari (Windows): error
* Safari (OS X): OK
* Chrome (Windows): error
* Firefox (Windows): OK
* Firefox (OS X): OK

It appears that browsers which use the integrated certificate
infrastructure on Windows are affected, and others are not.

I know that Windows supports intermediate CAs because I've tested it.
But it seems to require that the website itself provides the
intermediate CAs certificate (for example, on Apache this would be the
"SSLCertificateChainFile /path/to/intermediate-ca.crt" option).

Google App Engine does not appear to do this.

Best regards,
Carlos Rodrigues

[Carlos Rodrigues]

Hi again,

Any ideas? This is a show-stopper as far as secure applications go...

Best regards,

[Robert Kluin]

I only get a certificate error if I go to
https://test.xx.appspot.com. I do not get errors going to
https://xx.appspot.com.

I tested with IE and Chrome and Windows.

Robert

> --
> You received this message because you are subscribed to the Google Groups "Google App Engine" group.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
>
>

[Carlos Rodrigues]

Since the problem only happens with browsers that rely on Windows'
certificate infrastructure, the version of Windows matters.

I've tested with IE 8 on Windows 7 and Windows Server 2008 and the
problem occurs;
I've also tested with IE 7 on Windows XP and Windows Server 2003 and
the problem does not occur;

I did not test with Windows Vista.

It seems that older versions of Windows follow the certificate chain
(by downloading it from somewhere), while the more recent versions
only follow it if the webserver itself provides the intermediate CA's
certificate (as I said, I've tested with other sites that use
intermediate CAs and they show no errors - because the intermediate
CA's certificate is being provided by Apache using the option I
mentioned before).

Best regards,

On Aug 25, 10:19 pm, Robert Kluin <robert.kl...@gmail.com> wrote:
> I only get a certificate error if I go tohttps://test.xx.appspot.com.  I do not get errors going tohttps://xx.appspot.com.

>
> I tested with IE and Chrome and Windows.
>
> Robert
>

[Carlos Rodrigues]

BTW, this is not a problem exclusive to GAE. The certificate for
"code.google.com" also seems to have changed recently and I just got a
warning from TortoiseSVN that the new certificate cannot be validated
because the certificate chain is incomplete.

Best regards,

[Robert Kluin]

Interesting. You are right, I probably checked using a XP vm not a Win 7 vm.

[James]

I believe that's a standard limitation of wildcard SSL certs.

See my recent post here:
http://groups.google.com/group/google-appengine-java/browse_thread/thread/13f4674c5ef0a83f/2b3a8d16b96d9c0c


On Aug 25, 5:19 pm, Robert Kluin <robert.kl...@gmail.com> wrote:
> I only get a certificate error if I go tohttps://test.xx.appspot.com.  I do not get errors going tohttps://xx.appspot.com.

>
> I tested with IE and Chrome and Windows.
>

[Matthew Blain]

This works for me on Windows 7. It's possible that the root
certificates on your Windows machine are somehow missing the Equifax
Secure Certificate Authority root certificate (also sometimes listed
as GeoTrust)? Have you edited your list? I see a suggestion online to
also check Windows Updates to see if there's a certificate update,
though I believe this is not a recent CA.

--Matthew

[Carlos Rodrigues]

The Equifax certificate is there, but the problem is with the
intermediate CA's certificate (Google's), which isn't found.

If it works for you on Windows 7, maybe you have Google's CA
certificate installed. This would certainly make the error go away,
but we can't ask users to do this (because most won't).

@James: This is not a limitation of wildcard certificates because it
works on Firefox but also with all browsers I've tested on Windows XP
and OS X (including Safari, which shows the error on Windows 7).

Best regards,

[Carlos Rodrigues]

Sorry, you are right. The problem is that the Windows 7 certificate
store does not have the Equifax root certificate out of the box (on
Windows XP it does). The number of root certificates included with
Windows 7 out of the box is actually quite low.

The machines where I tested this and got an error (Windows 7 and 2008)
are fully updated (including the root certificates update). However
they are behind a proxy server, and maybe the root certificates update
doesn't work over a proxy server. I manually installed the root
certificates update again (http://www.microsoft.com/downloads/en/
confirmation.aspx?
familyId=e4f9b573-66d7-4dda-95d5-26c7d0f6c652&displayLang=en) with the
machine connected directly to the internet and it populated the
certificate store with the missing root certificates.

I guess this is still a problem, but only for users that do not update
or that are behind HTTP proxy servers (corporate users, mostly).

Best regards,