Sep 07

Fix: RapidSSL “issuer certificate is unknown” error

Category: Linux,webserver   — Published by tengo on September 7, 2011 at 10:04 am

Recently I've came across an error where I updated a RapidSSL certificate on a server. A first indication that things are a little different than a few years ago was that RapidSSL issued a 2048 instead 1024 bit RSA key.
Still, I didn't expect anything to behave differently  until I opened Mozilla Thunderbird. It complained about the SSL certificate being invalid with "issuer certificate is unknown". (German error: "Diese Website versucht sich mit ungültigen Informationen zu identifizieren: Unbekannte Identität")

A first check with RapidSSL's simplistic SSL checker strangely reported no errors.
But a check with the more in-depth RapidSSL chain checker tool indicated that my intermediate certificate was indeed invalid!

A little bit of reading revealed that RapidSSL had not only upgraded the RSA key length but also added a required so-called intermediate certificate to the validation chain, RapidSSL's "public certificate". This has to be installed on the server to be issued along with the certificate.

Please Note: On December 9th, 2010 RapidSSL upgraded its root hierarchy to 2048bit RSA Keys to enhance the security of all SSL products. As a part of this upgrade, all newly issued certificates now require the installation of the new RapidSSL Intermediate CA along with your SSL certificate. The new Intermediate CA MUST be installed in order for your SSL certificate to be fully trusted in all browsers.

RapidSSL uses Intermediate CAs to enhance the security of SSL certificates. When installing a RapidSSL certificate, it is absolutely essential to install the correct Intermediate CA at the same time as the SSL certificate, this ensures that the SSL certificate is fully trusted by all browsers and prevents SSL errors from appearing when users visit the website.

In order to resolve the issue, go over to this knowledge base article and follow the instructions for your server. In My case, Apache2, I had to download the RapidSSL CA Bundle intermediate.crt.

Then, if you use mod_ssl, you have to insert these lines in your http.conf:
SSLCertificateFile /usr/local/ssl/crt/domainname.crt
SSLCertificateKeyFile /usr/local/ssl/private/server.key
SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt
Note the last line pointing to intermediate.crt, the file we just downloaded from RapidSSL.

In my case things were a little different. On this server I use the Apache gnutls module in order to enable me to secure multiple websites with a single IP address by relying on SNI (Server Name Indication) that most browsers use: namebased SSL VirtualHosts with GnuTLS. (Although it seems mod_ssl since then implemented this ability and I could/should? switch back using it...) Nevertheless I still use it and had to find the equivalent of mod_ssl's SSLCACertificateFile switch for GNUTLS - so far without success.

Anyway, as you can read in this very helpful thread, GNUTLS has  support for chained certificates since version 0.4.2.1, only the API seems absent. So the common trick to get the intermediate certificate into the loop is to add this certificate to your existing .crt file so that it gets issued to the client's browser.

The order in this file is important, otherwise you will get errors from Apache and connecting browsers:

do this: cat www.example.com.crt the-pem-file-from-RapidSSL.pem > www.example.com.combined.crt and reference it as GnuTLSCertificateFile.

Related reading:
The post that pointed me into the right direction
A German post tackling the same issue
RapidSSL SSL checker

RapidSSL intermediate.crt steps for Apache
RapidSSL change note