Having issues with (AlphaSSL) Wildcard SSL.
1,071 views
Skip to first unread message
tereb...@gmail.com
Jan 18, 2015, 7:51:47 PM1/18/15
to prosod...@googlegroups.com
I am currently encountering an issue with Prosody where I cannot have an AlphaSSL Wildcard become recognized by Windows Pidgin clients, whereas regular StartSSL certificates work just fine.
It doesn't make much sense to me, I'm encountering no errors and SSL Labs has confirmed that the website (which uses the same certificate) recognizes the certificate along with intermediate change as verifiable.
Is it possible to have an AlphaSSL become recognized in clients when incorporating it with Prosody?
Pidgin:
Accept certificate for adastra.re?
The certificate for adastra.re could not be validated.
The certificate is not trusted because no certificate that can verify it is currently trusted.
Cert Details:
Certificate Information
Common name: *.adastra.re
Issued By: CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
Fingerprint (SHA1): e0:f2:20:3d:85:3a:9e:59:b5:6f:18:5b:33:41:5a:a6:b3:38:78:f2
Activation date: Sun Jan 18 13:11:08 2015
Expiration date: Tue Jan 19 13:11:08 2016
Matthew Wild
Jan 19, 2015, 8:34:10 AM1/19/15
to Prosody IM Users Group
Hi,
On 19 January 2015 at 00:51, <tereb...@gmail.com> wrote:
> I am currently encountering an issue with Prosody where I cannot have an
> AlphaSSL Wildcard become recognized by Windows Pidgin clients, whereas
> regular StartSSL certificates work just fine.
>
> It doesn't make much sense to me, I'm encountering no errors and SSL Labs
> has confirmed that the website (which uses the same certificate) recognizes
> the certificate along with intermediate change as verifiable.
>
> Is it possible to have an AlphaSSL become recognized in clients when
> incorporating it with Prosody?
>
> Pidgin:
>
> Accept certificate for adastra.re?
>
> The certificate for adastra.re could not be validated.
>
> The certificate is not trusted because no certificate that can verify it is
> currently trusted.
>
> Cert Details:
>
> Certificate Information
>
> Common name: *.adastra.re
This is probably the issue. *.adastra.re does not cover adastra.re
itself, only the subdomains. Possibly your website is hosted on the
'www' subdomain?
You can use https://xmpp.net/ to test your XMPP server's certificate,
it's similar to SSLabs but for XMPP.
I think StartSSL might include the main domain as well as the
subdomain, I can't remember, but that might be why it works.
Regards,
Matthew
On 19 January 2015 at 00:51, <tereb...@gmail.com> wrote:
> I am currently encountering an issue with Prosody where I cannot have an
> AlphaSSL Wildcard become recognized by Windows Pidgin clients, whereas
> regular StartSSL certificates work just fine.
>
> It doesn't make much sense to me, I'm encountering no errors and SSL Labs
> has confirmed that the website (which uses the same certificate) recognizes
> the certificate along with intermediate change as verifiable.
>
> Is it possible to have an AlphaSSL become recognized in clients when
> incorporating it with Prosody?
>
> Pidgin:
>
> Accept certificate for adastra.re?
>
> The certificate for adastra.re could not be validated.
>
> The certificate is not trusted because no certificate that can verify it is
> currently trusted.
>
> Cert Details:
>
> Certificate Information
>
> Common name: *.adastra.re
itself, only the subdomains. Possibly your website is hosted on the
'www' subdomain?
You can use https://xmpp.net/ to test your XMPP server's certificate,
it's similar to SSLabs but for XMPP.
I think StartSSL might include the main domain as well as the
subdomain, I can't remember, but that might be why it works.
Regards,
Matthew
Thijs Alkemade
Jan 19, 2015, 8:45:50 AM1/19/15
to prosod...@googlegroups.com
Hi,
According to the 14 hour old result on xmpp.net, this is wrong, the
certificate does contain a subject alt name for adastra.re.
However, GlobalSign (which is the root), nor AlphaSSL is in the Pidgin
certificate list:
Pidgin on Windows comes with its own list of certificates to trust (which is
quite a lot smaller than those typically trusted by OSes/browsers), you should
open a ticket with Pidgin to ask them to include GlobalSign.
Regards,
Thijs
Reply all
Reply to author
Forward
0 new messages