waleedsamy · November 16, 2024 20:24 · Jun 15, 2020 · Jun 15, 2020 · Jun 15, 2020 · Jun 15, 2020
diff --git a/...SL_unable_to_verify_the_first_certificate → ...unable_to_verify_the_first_certificate.md b/...SL_unable_to_verify_the_first_certificate → ...unable_to_verify_the_first_certificate.md
diff --git a/README.md → ...SL_unable_to_verify_the_first_certificate b/README.md → ...SL_unable_to_verify_the_first_certificate
diff --git a/README.md b/README.md
@@ -23,13 +23,13 @@ but tools like curl, java.... will report that they're unable to find valid cert
 
 ### To fix, you have *two* options
  - find and add the intermediate certificate that https://client-cert-missing.badssl.com use to your keystore
-  ```bash
-  # add to ubuntu keystore
-  sudo cp COMODORSADomainValidationSecureServerCA.crt /usr/local/share/ca-certificates/COMODORSADomainValidationSecureServerCA.crt
-  sudo update-ca-certificates
-  # add to java keystore
-  sudo keytool -importcert -alias COMODORSADomainValidationSecureServerCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file COMODORSADomainValidationSecureServerCA.crt
-  ```
+   ```bash
+   # add to ubuntu keystore
+   sudo cp COMODORSADomainValidationSecureServerCA.crt /usr/local/share/ca-certificates/COMODORSADomainValidationSecureServerCA.crt
+   sudo update-ca-certificates
+   # add to java keystore
+   sudo keytool -importcert -alias COMODORSADomainValidationSecureServerCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file COMODORSADomainValidationSecureServerCA.crt
+   ```
 
  - Or update your webserver to send the full chain of certificates not just the leaf chain
    > https://nginx.org/en/docs/http/configuring_https_servers.html

diff --git a/README.md b/README.md
@@ -36,16 +36,16 @@ but tools like curl, java.... will report that they're unable to find valid cert
    
 
    > Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
-  ```
-      $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt
-  ```
-  > The resulting file should be used in the ssl_certificate directive:
-  ```
-      server {
-          listen              443 ssl;
-          server_name         www.example.com;
-          ssl_certificate     www.example.com.chained.crt;
-          ssl_certificate_key www.example.com.key;
-          ...
-      }
-```
+   ```
+       $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt
+   ```
+   > The resulting file should be used in the ssl_certificate directive:
+   ```
+       server {
+           listen              443 ssl;
+           server_name         www.example.com;
+           ssl_certificate     www.example.com.chained.crt;
+           ssl_certificate_key www.example.com.key;
+           ...
+       }
+   ```
diff --git a/README.md b/README.md
@@ -32,18 +32,20 @@ but tools like curl, java.... will report that they're unable to find valid cert
   ```
 
  - Or update your webserver to send the full chain of certificates not just the leaf chain
-  https://nginx.org/en/docs/http/configuring_https_servers.html
-  > Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
-```
-    $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt
-```
- > The resulting file should be used in the ssl_certificate directive:
-```
-    server {
-        listen              443 ssl;
-        server_name         www.example.com;
-        ssl_certificate     www.example.com.chained.crt;
-        ssl_certificate_key www.example.com.key;
-        ...
-    }
+   > https://nginx.org/en/docs/http/configuring_https_servers.html
+   
+
+   > Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
+  ```
+      $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt
+  ```
+  > The resulting file should be used in the ssl_certificate directive:
+  ```
+      server {
+          listen              443 ssl;
+          server_name         www.example.com;
+          ssl_certificate     www.example.com.chained.crt;
+          ssl_certificate_key www.example.com.key;
+          ...
+      }
 ```
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ but tools like curl, java.... will report that they're unable to find valid cert
   ```
 
  - Or update your webserver to send the full chain of certificates not just the leaf chain
-  > https://nginx.org/en/docs/http/configuring_https_servers.html
+  https://nginx.org/en/docs/http/configuring_https_servers.html
   > Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
 ```
     $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt

diff --git a/README.md b/README.md
@@ -31,7 +31,7 @@ but tools like curl, java.... will report that they're unable to find valid cert
   sudo keytool -importcert -alias COMODORSADomainValidationSecureServerCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file COMODORSADomainValidationSecureServerCA.crt
   ```
 
- - the is the right way to do it, you need to update your webserver to send the full chain of certificates not just the leaf chain
+ - Or update your webserver to send the full chain of certificates not just the leaf chain
   > https://nginx.org/en/docs/http/configuring_https_servers.html
   > Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
 ```

diff --git a/README.md b/README.md
@@ -1,5 +1,7 @@
-open ssl connection to site
-`openssl s_client -connect client-cert-missing.badssl.com:443`
+Open an ssl connection to site
+```
+openssl s_client -connect client-cert-missing.badssl.com:443
+```
 returns
 ```
 .
@@ -19,7 +21,7 @@ Verify return code: 21 (unable to verify the first certificate)
 Even though the intermediate certificate is missing, browsers can still show no problems with https://client-cert-missing.badssl.com:
 but tools like curl, java.... will report that they're unable to find valid certification path to requested target.
 
-To fix, you have two options
+### To fix, you have *two* options
  - find and add the intermediate certificate that https://client-cert-missing.badssl.com use to your keystore
   ```bash
   # add to ubuntu keystore

diff --git a/README.md b/README.md
@@ -20,7 +20,7 @@ Even though the intermediate certificate is missing, browsers can still show no
 but tools like curl, java.... will report that they're unable to find valid certification path to requested target.
 
 To fix, you have two options
- 1- find and add the intermediate certificate that https://client-cert-missing.badssl.com use to your keystore
+ - find and add the intermediate certificate that https://client-cert-missing.badssl.com use to your keystore
   ```bash
   # add to ubuntu keystore
   sudo cp COMODORSADomainValidationSecureServerCA.crt /usr/local/share/ca-certificates/COMODORSADomainValidationSecureServerCA.crt
@@ -29,7 +29,7 @@ To fix, you have two options
   sudo keytool -importcert -alias COMODORSADomainValidationSecureServerCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file COMODORSADomainValidationSecureServerCA.crt
   ```
 
- 2- the is the right way to do it, you need to update your webserver to send the full chain of certificates not just the leaf chain
+ - the is the right way to do it, you need to update your webserver to send the full chain of certificates not just the leaf chain
   > https://nginx.org/en/docs/http/configuring_https_servers.html
   > Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
 ```

diff --git a/README.md b/README.md
@@ -0,0 +1,47 @@
+open ssl connection to site
+`openssl s_client -connect client-cert-missing.badssl.com:443`
+returns
+```
+.
+.
+.
+---
+Certificate chain
+ 0 s:/C=US/ST=California/L=San Francisco/O=BadSSL Fallback. Unknown subdomain or no SNI./CN=badssl-fallback-unknown-subdomain-or-no-sni
+   i:/C=US/ST=California/L=San Francisco/O=BadSSL/CN=BadSSL Intermediate Certificate Authority
+---
+.
+.
+.
+Verify return code: 21 (unable to verify the first certificate)
+```
+
+Even though the intermediate certificate is missing, browsers can still show no problems with https://client-cert-missing.badssl.com:
+but tools like curl, java.... will report that they're unable to find valid certification path to requested target.
+
+To fix, you have two options
+ 1- find and add the intermediate certificate that https://client-cert-missing.badssl.com use to your keystore
+  ```bash
+  # add to ubuntu keystore
+  sudo cp COMODORSADomainValidationSecureServerCA.crt /usr/local/share/ca-certificates/COMODORSADomainValidationSecureServerCA.crt
+  sudo update-ca-certificates
+  # add to java keystore
+  sudo keytool -importcert -alias COMODORSADomainValidationSecureServerCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file COMODORSADomainValidationSecureServerCA.crt
+  ```
+
+ 2- the is the right way to do it, you need to update your webserver to send the full chain of certificates not just the leaf chain
+  > https://nginx.org/en/docs/http/configuring_https_servers.html
+  > Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
+```
+    $ cat www.example.com.crt bundle.crt > www.example.com.chained.crt
+```
+ > The resulting file should be used in the ssl_certificate directive:
+```
+    server {
+        listen              443 ssl;
+        server_name         www.example.com;
+        ssl_certificate     www.example.com.chained.crt;
+        ssl_certificate_key www.example.com.key;
+        ...
+    }
+```