New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Exactly the problem I had ...
It looks like the 1_root_bundle.crt included in the mail only includes the SHA1 version of the CA Certificate, named WoSign CA Free SSL Certificate. The SHA2 certificate I received refers to another CA Certificate, named WoSign CA Free SSL Certificate G2. Adding that one to the 1_root_bundle.crt fixed the problem for me.
The CA Certificate WoSign CA Free SSL Certificate G2 can be downloaded at http://www.wosign.com/English/root.htm. The correct file is http://www.wosign.com/root/ca1_dv_free_2.crt. I just pasted the content of this file into the 1_root_bundle.crt (at the first position) and that fixed the problem for me.
Hope it works for you too ...
I did use it before. I had a C back then, then I enabled some more settings via my nginx config. Now I have an A-
I got this two notificatons.
I didn't use forward secrecy with the other SSL either but I got the green icon.
Now...
It's due to the intermediate certificate.
This is the cause of all evil it seems.
Now I need to figure how to update this
Mkay so... got it to work.
Turns out they are sending the wrong cert(!!!).
SHA2 certs are signed by the "G2" issuer certificate, but their ZIP file contains only the regular one, not the G2.
What you need to do is:
1) get https://www.wosign.com/root/ca1_dv_free_2.crt
2) save it into the "For Other Server" unpacked directory
3) execute: "cat 1_root.crt 2_cross.crt ca1_dv_free_2.crt > bundle_g2.crt
4) set ssl.ca-file=bundle_g2.crt
@Nomad let me know if this helps.haha I see you figured it out already, and I should refresh the page before writing my reply.(:
Well, you saved me from the trouble of searching for the issuer certificate but..
I did my bundle like
Then nginx would say it's not gonna turn on stapling cuz no issuer certificate is found :S
And it didn't resolve my issue.
True, I do get an A from Qualys certificate check but..
Still no green for me.
I'm doing something wrong maybe.
Ok...
Managed to fix it...
I replaced the issuer certificate with this one
CA 沃通根证书(SHA256)
Now it's all green for me ^^
@Nomad which one did you replace exactly?
If I replace ca1_dv_free_2.crt with WS_CA2_NEW.CRT, the whole thing stops working for me (in Firefox).
Found the cause of the yellow icon: http://weblogs.asp.net/owscott/identity-not-verified-in-chrome
It's not just SHA-1, but also expiration dates.
Same here...
with one of the compilations I tried, I did manage to get an A+ but it still shows that one as weak.
@Nomad There seems to be no SHA2 certificate which fits into the chain of "WoSign CA Free SSL Certificate G2". The one you quoted earlier is for the Chinese language certs. Looks like if you made a Chinese cert, then you have a SHA2 intermediate to use... but none for English ones.
Also for reference, you can dump information about a .crt:
When WoSign say multiple domains do the mean, aa.domain.com bb.domain.com cc.domain.com or do they mean aa.domain.com aa.domain2.com aa.domain1.net, aa.anotherdomain.com etc?
Is it subdomains of the main domain, any arbitrary combinations of subdomains and domain?
They only mean domains, no subdomains. When I tried to add xxx.example.org it said invalid domain name or similar iirc. @rchurch
Huh... Then how did I get my certificate for:
I mean, I got my certificate for 5 domains and about 20-25 subdomains in a batch.
o.O
can I revoke the certificate/create a new one?
Just buy another one and try ^^
Sorry, I was WRONG. In a way.
If you check the archive.org link, you can see the "超快SSL" , or "DV_KuaiSSL" is cross-signed with UTN SGC.
But, after they put it free(you can see, if you put 100 domains in it, this would cost you ~¥88000(~$14200) . Of course, this is too good to be true.
The free DV_KuaiSSL is now signed with StartSSL. Which means, it is the same as the original FreeSSL.
And the problem is, the cert chain is sooooooooooooooooooooooooo long that it breaks: if so, the browser would give you a warning. EVEN WORSE than you do not have that SSL!
Both.
Any combination/mix of all these.
I re-ordered my cert now, selecting the Chinese language.
The Chinese certs have a SHA256 root certificate: http://www.wosign.com/English/root.htm
I assume they did not get around to updating English ones to SHA1 yet.
With the original price still there but with just a strike through over it, I wonder if this is only a temporary promo. Their regular free SSL offer supports 1 year term and a single domain only: https://buy.wosign.com/FreeSSL.html
Since the title of this post is kind of misleading and this is huge news I opened another topic, maybe we can continue there: Free Chinese 2 year SSL certificate: DV KuaiSSL by WoSign.com