StartSSL SSL certificate showing up as net::ERR_CERT_AUTHORITY_INVALID in browser

I’ve “purchased” a 3 year StartSSL free Class 1 DV certificate for my development domain, and installed it on NGINX as per their instructions.

I notice that the nginx certificate they provide contains the DV certificate, with my 10 domain aliases added to it, and also the intermediate certificate, which they say should be valid according to the browser (I’ve tried it on Chrome and Firefox with similar results).

  • udp client server program communication to ibm bluemix containers
  • Check that Docker container has enough disk space
  • How to check the docker-compose file version?
  • How to access an docker's image file system
  • Adding docker to django project: no such file or directory
  • Docker stuck on “Waiting for SSH to be available…”
  • The certificate is appearing as invalid: https://gb.qa.vendigo.build/

    However nearly every SSL validation tool is showing it as a complete chain, no problems at all, with the exception of one tool:

    http://www.sslchecker.com/sslchecker?su=1e9941a064b5bc0b92fbfa310aae796b

    which shows a missing ‘root’ certificate. However adding that root certificate doesn’t help, and in fact SSL checker (listed above) will then show root as present, but then list another missing certificate instead. Downloading and installing these certificates just makes that chain keep growing to no avail.

    I’ve become quite stuck now! Am I missing something obvious or is this just a bad certificate?

    nginx configuration looks like:

    # gb.qa.vendigo.build
    upstream cc574309c4214a6c01eb8d3dbe9f701eee9daf3d {
                ## Can be connect with "bridge" network
                # sample-1.antony-cert-test.11b35827
                server 172.17.0.6:80;
                ## Can be connect with "dockercloud" network
                # sample-1.antony-cert-test.11b35827
                server 10.7.0.24:80;
    }
    server {
        server_name gb.qa.vendigo.build;
        listen 80 ;
        listen [::]:80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
    }
    server {
        server_name gb.qa.vendigo.build;
        listen 443 ssl http2 ;
        listen [::]:443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-   POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/vendigo.build.crt;
        ssl_certificate_key /etc/nginx/certs/vendigo.build.key;
        add_header Strict-Transport-Security "max-age=31536000";
        location / {
            proxy_pass http://cc574309c4214a6c01eb8d3dbe9f701eee9daf3d;
        }
    }
    

  • nginx/apache redirection for output port on docker container on vps
  • Docker run command, volumes error
  • Two docker's container see each others in the same machine
  • python: PyPi public modules: How to determine if secure and safe?
  • Add a solo pseudo network card in docker
  • Code from different git branches in one Python test
  • 2 Solutions collect form web for “StartSSL SSL certificate showing up as net::ERR_CERT_AUTHORITY_INVALID in browser”

    Thanks to my friend Geoff, and @tkausl for the rapid answers – StartSSL is no longer considered a reputable provider:

    https://danconnor.com/posts/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_

    and the link in @tkausl’s response, which oddly didn’t come up in any of my searches.

    I guess I’ll be paying for a certificate then!

    Distrusting New WoSign and StartCom Certificates

    Check letsencrypt, it should satisfy your needs.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.