Updating expired StartCom Class 1 Primary Intermediate Server CA certificate
Yesterday, Thunderbird popped up a stern certificate warning message stating that the "certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature".
That's interesting -- I've used this certificate for close to a year now (it expires in a couple of months) and hadn't made any changes.
After examining the certficate details for longer than I would care to admit, finally realized that the problem was with the Intermediate CA certificate (it expired on 2012-10-22), not my host certificate which is still good. I use a StartSSL certificate on the web server as well and it was the same problem there. Fortunately, fixing this was easy.
Apache
First identified the Intermediate certificate file Apache is using (SSLCertificateChainFile directive), then checked the date:
ak@web:~$ openssl x509 -noout -dates -in /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem
notBefore=Oct 24 20:54:16 2007 GMT
notAfter=Oct 22 20:54:16 2012 GMT
Then downloaded the latest one:
root@web:~# curl -s http://www.startssl.com/certs/sub.class1.server.ca.pem > /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem
Then confirmed it's ok at the shell:
ak@web:~$ openssl x509 -noout -dates -in /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem
notBefore=Oct 24 20:54:17 2007 GMT
notAfter=Oct 24 20:54:17 2017 GMT
Then confirmed it's ok using a web browser. Nice. One thing that was interesting is that when I refreshed the page, Firefox (version 16 for Linux) picked up the change, while Chrome (Chromium 20 for Linux) didn't, not even after a restart -- had to clear the cache (Settings > Privacy > Clear browsing data... > Empty the cache), before the certificate warning went away.
Postfix
Postfix, was only a bit trickier. Because I'm running Postfix chrooted (Debian default), it's using certs that are in /var/spool/postfix/etc/ssl/certs/ca-certificates.crt. It seems that the postfix init script places them there by grabbing from /etc/ssl/certs/, so the process is to identify which file contains the certificate for the StartCom Class 1 Primary Intermediate Server CA (in my case it was /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem), update that and restart Postfix so it regenerates /var/spool/postfix/etc/ssl/certs/ca-certificates.crt:
root@mx:~# curl -s http://www.startssl.com/certs/sub.class1.server.ca.pem > /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem
root@mx:~# /etc/init.d/postfix restart
Now after restarting my Thunderbird mail client and examining the certificate (Edit > Settings > Security > View Certificates > Authorities > StartCom Ltd. > StartCom Class 1 Primary Intermediate Server CA > View > Validity) shows new expiration date of 10/24/2017. Nice.
P.S. Here's the exact error message:
You are about to override how Thunderbird identifies this site.
Legitimate banks, stores, and other public sites will not ask you to do this.
Server: duck.mxcow.com
Certificate Status
This site attempts to identify itself with invalid information
Unknown Identity
Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.
4 Comments
1. Toralf Förster replies at 27th October 2012, 10:20 am :
Thx, helped me to fetch news from my preferred news server again.
2. ccomb replies at 21st November 2012, 5:14 pm :
thanks too !
3. Someone replies at 29th December 2012, 7:06 am :
Very helpful thx.
4. nh2 replies at 31st August 2014, 3:11 pm :
I’ve filed a bug for this: https://bugzilla.mozilla.org/show_bug.cgi?id=1060981
Leave a comment