SSL (Secure Socket Layer) Troubleshooting

The only noticeable difference between the SSL server and the regular version, is that the SSL version encrypts all data it sends and decrypts all the encrypted data it receives. In practical terms this means that an identical page will take two to four times longer to serve from the SSL version.

Questions specific to the SSL version or issues relating to encryption, digital IDs and certificates are covered in this section.

WebSTAR quits immediately after launch.

If the Private Key file has been regenerated, it will no longer match with your Certificate.

Make sure that the Private Key file is the same one that was used to generate the original Request for Certificate--if necessary, use Get Info under the File menu in the Finder to compare the creation dates on these files to see that they are the same. The Certificate and the Private Key file make up a pair, and must match; if they do not, browsers will be unable to access your WebSTAR SSL server.

The Certificate or Private Key files have been moved or renamed . Put them back and try again.

If you are still unable to launch WebSTAR after these steps, please contact StarNine technical support for further assistance.

Need to convert an old certificate

The old certificate file (WebSTAR/SSL 2 and 3 format) is only converted the first time WebSTAR 4 runs. It must be in a file named Digital ID .

If you need to convert later, you can quit the server, remove the WebSTAR Settings file, and launch WebSTAR again: it will convert the certificate file at that point, and store the information in the WebSTAR Settings file.
You can also fix it by hand:

Change the file TYPE code to TEXT to so that the file can be opened in BBEdit or another text editor.
Once the file is open, add this line at the beginning of the file:

-----BEGIN CERTIFICATE-----

and this line at the end of the file:

-----END CERTIFICATE-----

Do not include any spaces or tab characters on these lines.

Save the file in the server folder.
Quit the WebSTAR Server.
Start WebSTAR again: it should recognize and accept this format.

URLs routed through third-party Plug-Ins don't work with HTTPS

Some third-party Plug-Ins may not support HTTPS and SSL connections. If you have difficulties, contact those developers directly.

When users click on a hypertext link to a secure page the connection is refused.

Connections to a secure server require the client software to communicate via the SSL (HTTPs) protocol. Older browsers do not support the SSL protocol. The most recent versions of most browsers do support SSL.

Users coming from networks which use a Proxy gateway cannot connect to my secure pages.

SSL does not work through many Proxy servers and firewalls. Consequently, you should provide both secure and unsecure versions if you want access to be available to everyone.

WebSTAR launches as usual, but browsers are unable to connect and the log contains messages that report "SSL Handshake failed"

This could indicate that the Certificate is corrupt. If you have a backup of the Certificate file, replace the one in the server's folder with the backup. Otherwise, you can regenerate the Certificate from your Certificate file.

The "SSL Handshake failed" message could also indicate that the Certificate does not match the Public/Private key.

Browsers display an error message or security warning

Certificate Authority is Expired
Certificate issuer for this site is untrusted or unknown

When browser certificates expire, you will see these messages. For Thawte, that was July 28, 1998. For VeriSign, many certificates will expire at the end of 1999. You may have to help your customers or users change their browser certificates to recognize the new authorities.

To update browsers for Thawte server Certificates, follow the instructions at

 
https://www.thawte.com/certs/server/rollover.html

Unable to establish a secure connection... (The identity certificate has expired)
invalid site name
An error occurred in the secure channel support

For all these errors, see the advice at

https://www.thawte.com/support/server/browsers.html

When people click a link on the SSL page to go back to the non-SSL page, the new page is still secure.

If you are serving SSL and non-SSL pages from the same folder and use relative references in your HTML, then links from your SSL page will use the HTTPS protocol instead of HTTP. Make sure that links in the HTML of your SSL pages specify "http" when you intend a non-SSL link.

When clients connect to a secure page they receive the message, "You have requested a secure document that contains unsecure information. The unsecure information will not be shown"

Netscape does not allow both secure and insecure documents to be displayed on the same page. The problem is likely that the HTML portion is being served by WebSTAR SSL (HTTPS ) while navigation buttons or graphics are being served out by WebSTAR (http ). Make sure that all referenced documents are also linked with "https ".