Installing Comodo PositiveSSL certificate on Apache server for a client, everything worked fine in Chrome, Firefox on OS X and (surprisingly) even in IE, but Firefox on Windows was complaining with the following error (might be something to do with older version or some other settings, but didn’t really test it that extensively):
Invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
After a bit of googling I came across a blog post by John Bakker, where he describes a quick and easy fix, merging all .crt files you receive from Comodo into one .ca_bundle.
To do this, the easiest way is to combine (concatenate) multiple certificates into one file, named www_yourdomain_com.ca_bundle (of course replace www_yourdomain_com with your actual domain with underscores):
- AddTrustExternalCARoot.crt
- COMODORSAAddTrustCA.crt
- COMODORSADomainValidationSecureServerCA.crt
- www_yourdomain_com.crt
cat www_yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > www_yourdomain_com.ca_bundle
Note: Device/Entity Cert Intermediates need to be in reversed order.
Place it in the same place you put your .key and .crt and .csr files for your certificate.
Now instead of pointing it to the individual files you point to just the bundle from your vhost.
SSLEngine on SSLCertificateFile /etc/ssl/certs/www_yourdomain_com.crt SSLCertificateKeyFile /etc/ssl/certs/www_yourdomain_com.key SSLCertificateChainFile /etc/ssl/certs/www_yourdomain_com.ca-bundle
Restart apache and enjoy secure connection to your site without SSL errors in all browsers.