PositiveSSL, Azure & COMODO RSA Certification Authority

Recently SSL 1 was declared unsafe. So the certification companies started supplying SSL 2 certificates.

My certificate for notezilla.net was about to expire so I purchased a new one from namecheap.com. It sells SSL certificate at very less price. The brand name is PositiveSSL.

After purchase, I followed the instructions to install SSL certificate on my Windows Azure cloud service. But it didn’t work. I tried about 4 times and spent several hours trying to fix it.

As a side note: SSL 2 has a different set of root and intermediate certificates. I had to re-download and install them from here.

Surprisingly, for first 2 days I found everything was working fine until I tried to access my web-app from Android phone. The Chrome browser showed a scary message – ‘Your connection is not private’. Then I checked my website using SSL Checker. It said that the certificate was broken. The chain did not complete to the root. Also my Android app created using Xamarin were throwing following exceptions:

{System.Net.WebException: Error getting response stream (ReadDone2): ReceiveFailure

System.Net.WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure —> System.IO.IOException: The authentication or decryption has failed. —> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a

Fortunately, Boyan Tabakob’s post on this thread helped me.

I am further elaborating on this because I want to cover issue specific to the PositiveSSL certificate purchased from namecheap.com. Nothing is wrong with the certificate. But the way IIS determines the chain of certificates is incorrect.

Here is how your chain should look like:

Notezilla.Net certificate chain

Your certificate->COMODO RSA Domain Validation Secure Server CA->COMODO RSA Certification Authority->UserTrust (AddTrust External CA Root)

However, when you install the SSL certificate on Windows Azure, and log in to your cloud service using Remote Desktop to check the chain, it will look totally different. It will pick a different COMODO certificate and will not find your actual root certificate.

Problem: The problem is that IIS has another interm certificate named “COMODO RSA Certification Authority” under “Trusted Root Certification Authorities”. This one is with a different Thumbprint. The real “COMODO RSA Certification Authority” which I wanted was already in “Intermediate Certifications Authorities” folder.

Solution: Since IIS picked the former one from the root (may be because of the same name), I deleted the former one (via Remote Desktop) and the certificate chain was now complete till the root. Now my website was working fine. Remember to restart your VM instance (Web Role) after you make this change! Very important.

The bad part is that I will have to repeat this step every time deploy a new build of my MVC cloud service.

Thanks. Hope it helps someone :).

2 thoughts on “PositiveSSL, Azure & COMODO RSA Certification Authority”

  1. Damin it! Why I don’t find your post a few hours before?) I’ve faced with identical problem today. I have Azure Cloud Service, Comodo cert and issuses with Android application…. Anyway thank you for detailed problem description.
    PS: Did you find any solution to avoid repeating this magic steps on every deploy?

  2. No, I had to manually do these steps on every deployment. Until recently, I upgraded the Azure OS to Windows Server 2012. In this version, the problem is fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *