0

I bought a wildcard SSL from RapidSSL. It has been working great on my AWS load balancer, but recently, I noticed that the same certificate was not working on our test server which is not on the load balancer when one of our old 2nd generation test iPhones accesses it. This led me to run RapidSSLs certificate checker against our test server. It claimed that the server was returning a self signed certificate which was very puzzling. I checked with another one of RapidSSL's online checkers and got more detailed results showing the self signed certificate.

The strange thing is that when you go to the website on the test server on any modern browser, you get the correct certificate and the correct CA certificate as well. I even found another SSL checker on the internet which said everything was fine. I have check, double checked and tripple checked my http.conf file

NameVirtualHost *:443
<VirtualHost *:443>
    ServerName test.MYDOMAIN.com
    DocumentRoot /var/www/html/
    SSLEngine on
    SSLProtocol all
    SSLCACertificateFile /usr/local/ssl/crt/cmint.crt
    SSLCertificateFile /usr/local/ssl/crt/cm.crt
    SSLCertificateKeyFile /usr/local/ssl/crt/cm.key
</VirtualHost>

Everything works fine and I don't expect the issue is anything with the cert files. Just somewhere in my or Amazon's configuration, I am getting this self-signed cert served to old devices when they access an instance which is not using the load balancer.

David
  • 103
  • 5
  • From what you've described, I'd say it was more like the older device browsers not having the trusted root cert for RapidSSL. I've seen a similar issues with older iOS device (running older verisons of iOS), but a lack of that wouldn't result in it showing as self signed. – SmallClanger Jul 02 '12 at 20:32
  • If this were true, I would expect that the load balancer would not work either. I do have the intermediate CA included as you can see above. – David Jul 02 '12 at 22:07

1 Answers1

3

Do you use a NameVirtualHost on this server? I wonder if SNI is at fault here. Try IE on Win XP (or one of the other combinations listed on the WikiPedia page) and see if that causes the self-signed certificate.

The page says that iOS > 4.0 has SNI support so presumably, earlier versions don't.

I suspect you have a default vhost with a self-signed certificate which never shows up for browsers with SNI support.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
  • Thank you! You were correct. There was a default setting in ssl.conf which it was reverting back to. Once I copied the SSL cert info into it, it began working correctly on the old devices. – David Jul 03 '12 at 01:57
  • +1. Good spot. Hadn't thought of SNI. – SmallClanger Jul 03 '12 at 11:19