CO-piBot: return = 48: CHAIN SIGNATURE NOT MATCHING CERT
The certification chain does not match the certificate hash algorithm (SHA1 / SHA256+)
The hash algorithm (MD5, SHA, SHA256, ...) used by certification authorities to sign your certificate does not match the hash algorithms of the certificates constituting the certification chain. It means that one (or several) of the certificates of the chain is signed with a different hash algorithm. For exemple:
END ENTITY: www.my-domain-to-secure.com | SHA256 with RSA |
INTERMEDIATE 1: TBS X509 CA business 2 | SHA384 with RSA |
INTERMEDIATE 2: USERTrust RSA Certification Authority | SHA384 with RSA |
ROOT: AddTrust External CA Root | SHA1 with RSA |
Consequences: HTTPS is crossed out in red
This incorrect installation / configuration on your server may trigger an alert message on some browsers such as Google Chrome. It can even lead to a HTTPS crossed out in red directly in the URL bar.Troubleshooting
- If you recently renewed or reissued your certificate you may have forgot to install the new certification chain. It is essential to install the last issued certificate and its matching certification chain. Consult our installation instructions.
Most common cases:
- Install intermediate certificates or root certificates manually
On Microsoft platforms you may have forgot to import the .p7b file (#PKCS7) that has been delivered along with your certificate. You probably have only installed the certificate alone (CER / PEM format).
You then need to install manually the certification chain tha goes along with your certificate, documentation available here. - Install a certificate and its certification chain on Apache
- Install intermediate certificates or root certificates manually
- Have you forgot to activate the new certificate for the different services / protocols of your Exchange or ReverseProxy / firewall (VPN) server? Indeed, some servers / security inrfaces are delivered with a self-signed certificate the is used by default. During your certificate installation you have to associate your certificate to the different services by replacing the former certificate. Consult your server / interface documentation.
- Or your server may not be correctly configured and the certificate presented is not the one expected. If you have several certificate you may have mixed them up. Is your DNS configuration ok?
- Your infrastructure includes a reverse proxy? have you install your certificate on the right server / interface?
- You have bought several certificate with the same CN / FQDN (internet address)? It can be that CopiBot runs its tests on the wrong server: control theIP address used for the connection and the serial number of your certificate.
Useful links
- All about SHA1, SHA2 and SHA256 hash algorithms
- SHA1: Depreciation of SHA1 algorithm scheduled for 2015, 2016, 2017?
- SHA1 disappearance: what is the situation?
- Browsers compatible with SHA256 hash algorithm
- Servers compatible with SHA256-signed SSL certificates
- Install several SSL certificates on a same machine / IP : TLS SNI
- Generate a SHA256 CSR
- Intermediate certificates
- Root certificate (implemented on browsers)
- Deactivate racine Thawte PCA (2036) root
- Deactivate VeriSign Class 3 Public Primary Certification Authority - G5 (2036) root
Error message that can be encountered on browsers
- The identity of this website has been verified by xxx but does not have public audits records.
- Mozilla Firefox 37.0.1+: Secure connection failed
Check your certificate installation with Co-Pibot:
In your Certificates center, on your certificate status page you'll see a"check your certificate" button. Click it to make sure your certificate has correctly been installed.Last edited on 05/11/2020 14:30:29 --- [search]