问题
Hi we have a PositiveSSL Wildcard Certificate for the URL which is installed on the server, and to the best of my Knowledge everything is ok, however over the course of launching, we have sent out 100,000 mailers of which so far 20,000 have re-signed up, however a few ppl have been in touch ref MIM attacks stating the site/application is unsecure, but as far as we can see we are not getting any notifications, and it appears only a few people are (specifically Chrome users) some mobile, some web-based.
Attached is a reading on the comodo ssl and all appears ok bar a little warning, which i am unsure really affects us as we have this in place already.
https://goo.gl/w6qCHs
What would you advise?
Thanks
回答1:
For a start the URL you've given in that link is not a wildcard card subdomain certificate.
However the main issue is that you are not providing your intermediate certs.
A cert is valid for a website, it is normally signed by one or more intermediate certs, which is then signed by a cert that is pre-installed and trusted by web browsers. If a web browser cannot build a chain of trust back to a cert it already knows about you will get this error.
A web server can provide the website certificate, or the website certificate AND the intermediate certificates. The latter is normally recommended as it helps browsers quickly build the chain of trust. Some browsers might ha e some intermediate certs in their trust stores by default, might already have them if they have visited a site that uses them or might even automatically try to download intermediate certs but that's not guaranteed.
All this can be seen by running your website through the ssllabs.com server test. That shows the same "little warning", the full chain of trust (actually two chains are possible for your site but always best to install the intermediates which allow the shortest chain), and lots of other useful information about your SSL setup (which actually looks very good apart from this missing intermediate cert issue).
How you configure your web server to return the intermediate cert depends on your server. Looks like you are running nginx (it's a good idea to turn off server http headers that give away software info btw, but that's a separate matter) so normally you just concatenate the intermediate and server certs into one .crt file (these are usually just text files with cert information encoded). For more information see here: http://nginx.org/en/docs/http/configuring_https_servers.html#chains.
Note you can also configure too many certs on your server too. Which is wasted effort. The root cert is not needed for example as this will be in the browser. Retest using ssllabs.com after you fix it to confirm all looks good.
来源:https://stackoverflow.com/questions/33322184/ssl-issue-warning-users-not-secure-however-ssl-applied