https (SSL server) access causing error box to appear in Opera but not IE??
Carlos C. Gonzalez
I am setting up some SSL access for my site and am testing it through the
following link:
https://secure.qwk.net/~internet/CONTENT_contact.html
CONTENT_contact.html is just a file with some incomplete HTML in it (i.e.
no body, head, or other structure type tags in it).
For some reason Opera pops open a box saying....
"The server's certificate chain is incomplete, and the signer(s) are not
registered. Accept?"
Now I have it from the web hosting company who is very competent and an
excellent hoster that their certificate has not expired or is otherwise
faulty.
No such box appears through IE when I access the same link though of
course this doesn't mean a whole lot given IE's tendency to fudge,
smudge, and not report on non-standard errors.
Still I am wondering if visitor's to my site using Opera will always see
such a box on an otherwise valid certificate? Is there anything I can do
about this? Any instructions I should pass along to visitor's who might
be using Opera to access the SSL secured areas of my site?
I am using Opera 5.12. My hoster gets the same box appearing when he
tries to access the link above too. I am running my Opera on Windows 98.
Any insight on this?
Thanks.
---
Carlos
www.internetsuccess.ca
Yngve Nysaeter Pettersen (Developer, Opera Software A/S)
include the full certificate chain, which is why you get the warning.
In addition, if the server had provided the whole chain Opera would
instead said that the signer was unknown, and offered a chance to
install the root certificate.
At present the Certificate Authority used by this site (Entrust) is
not among those preshipped with Opera.
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yn...@opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 24 16 42 51 Fax: +47 24 16 40 01
********************************************************************
Carlos C. Gonzalez
yn...@opera.com said...
[original post snipped]
> The root certificate is unknown to Opera, and the server does not
> include the full certificate chain, which is why you get the warning.
So how can qwk.net (my hoster) include the full certificate chain so that
Opera does not balk at it? They are very cooperative and I am sure that
they would be willing to do something if they knew what to do?
It is not just a matter of my being able to get around this question box
that appears in my Opera browser but also one of my hoster making
accomodations for visitors who might visit my site using Opera from all
over the world. But again what do they do to accomodate Opera?
How can they get Opera to read the full certificate chain?
They are not aware of anything wrong with their certificate. It is
neither expired or invalid.
What is a full certificate chain?
>
> In addition, if the server had provided the whole chain Opera would
> instead said that the signer was unknown, and offered a chance to
> install the root certificate.
>
> At present the Certificate Authority used by this site (Entrust) is
> not among those preshipped with Opera.
So how do I get Opera to include and recognize this Certificate
Authority?
Is the root certificate the same as the underlying Certificate Authority?
In this case Entrust?
Thanks for any further input on this. I want to get Opera to work just
as well for my visitors if not better than IE (with all it's bug
overlooking) in terms of this issue.
Any further input on this would be much appreciated.
Thanks.
---
Carlos
www.internetsuccess.ca
Yngve Nysaeter Pettersen (Developer, Opera Software A/S)
<aperlpr...@yahoo.com> wrote:
>Yngve Nysaeter Pettersen (Developer, Opera Software A/S) at
>yn...@opera.com said...
>
>[original post snipped]
>
>> The root certificate is unknown to Opera, and the server does not
>> include the full certificate chain, which is why you get the warning.
>
>So how can qwk.net (my hoster) include the full certificate chain so that
>Opera does not balk at it? They are very cooperative and I am sure that
>they would be willing to do something if they knew what to do?
This is a configuration issue on the server, possibly also related to
how they downloaded the certificate, or how the server constructs the
certificate chain.
>It is not just a matter of my being able to get around this question box
>that appears in my Opera browser but also one of my hoster making
>accomodations for visitors who might visit my site using Opera from all
>over the world. But again what do they do to accomodate Opera?
>
>How can they get Opera to read the full certificate chain?
The server must send the entire chain
>They are not aware of anything wrong with their certificate. It is
>neither expired or invalid.
>
>What is a full certificate chain?
When the server send the certificate indentifying the server it must
not just send the server's own certificate, but also the certificate
of the Certificate Authority that signed the certificate (and of the
CA that signed that cert) until the certificate is selfsigned.
>
>>
>> In addition, if the server had provided the whole chain Opera would
>> instead said that the signer was unknown, and offered a chance to
>> install the root certificate.
>>
>> At present the Certificate Authority used by this site (Entrust) is
>> not among those preshipped with Opera.
>
>So how do I get Opera to include and recognize this Certificate
>Authority?
Installing the relevant Entrust Root certificate will do that.
>Is the root certificate the same as the underlying Certificate Authority?
>In this case Entrust?
Yes