Problem with chain in SSL

That’s just Dreamhost. Their whole service is basically a bunch of tape and string and shell scripts. If I report the IPv6 bug one of two things will happen: they’ll agree it is a bug and fix it, claiming it’s some weird thing they never saw happen before, or they’ll say they don’t see any problem, and it’ll magically “fix itself” when they say that. I gave up worrying, obviously you shouldn’t use a provider like that for business stuff, but that’s just a personal site.

on my computer and on the one with the problem and on the server it is not configured

it’s windows server 2003

That is potentially old enough to not have had the X3 root when it was released. Microsoft makes certificate store updates, including root revocations, available via WIndows Update and WSUS. These updates, however, are usually listed as “optional” and won’t show up if you only install security patches. I believe newer versions (at least W8 and newer) of Windows update the certificates in the background now, avoiding the need for an optional WU update.

You can find out more about the root certificate update packages as part of KB931125.

Note that in general, you only need to worry about this for clients accessing a site or service secured by the root. Even if the server doesn’t trust the root for a certificate it’s serving, if it chains to a root that the client trusts, you won’t get a warning for that particular issue.

Not Configured means it is turned on (the default) unless the computer is joined to a domain and the domain has it turned off.

Do you see any errors relating to root certificates in the Event Viewer on any of the affected systems?

Also, Windows XP and Server 2003 used a different mechanism to update the root certificates list. The prior advice applied only to Windows Vista and later.

You can check if the old mechanism enabled by going to Control Panel > Add/Remove Programs > Add/Remove Windows Components and confirming Update Root Certificates is checked.

You can also manually download and install the latest root certificates update from http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe on these systems.

yes, it is checked.
so whats now?

i have the X3 cert in our domain controller. how can i make sure that it will work with all workstations that don’t have that certification right now?

As I said before, if root updates are enabled and not working, the Event Viewer should log errors regarding it that would give hints as to what the issue is.

But you can indeed push the DST Root CA X3 to domain members via Group Policy:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

where should i check for the event viewer and when?

in the problematic PC or on the domain controller?

and when? in the time i get to the specific website that i get the chain error?

The problematic PC.

There may be a log entry around the time of trying to visit an affected website, since Windows will try and download root certificates when it encounters a missing one. But it also attempts to download them on a weekly basis so there would be others.

The most common error message seems to be Failed auto update retrieval of third-party root list, so I would suggest just searching the log for the word root.

these are the only 2 events i can see in the event log

Key file operation.

Subject:
Security ID: SYSTEM
Account Name: BS$
Account Domain: *****
Logon ID: 0x3e7

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: Not Available.
Key Name: {0818F9B3-D4B5-49B6-982E-3D263B0AEF9F}
Key Type: User key.

Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\51fcfb209ece7122229b7a417cf6e0ce_7a679364-a30e-4e27-9a43-cd75b1422e90
Operation: Read persisted key from file.
Return Code: 0x0

Cryptographic operation.

Subject:
Security ID: SYSTEM
Account Name: BS$
Account Domain: ********
Logon ID: 0x3e7

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: {0818F9B3-D4B5-49B6-982E-3D263B0AEF9F}
Key Type: User key.

Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0

can you take a look at what i have posted from the event log?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.