To expand upon Boan's comment, you certificate chain is malformed.
You are only sending the end entity (server) certificate; and you need to send both the end entity certificate and two intermediate certificates required for Comodo.
You need to send the intermediate certificates to avoid the "which directory" problem. Its a well known problem in PKI. That's what clients are experiencing - they don't know where to go to get the missing intermediate certificate.
Here's how you can check for it:
$ openssl s_client -connect naturalvape.us:443 -showcerts
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = naturalvape.us
verify error:num=20:unable to get local issuer certificate
verify return:1
...
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=naturalvape.us
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIFUDCCBDigAwIBAgIRAOIeCA8uCx0hLc8AQSHiak8wDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
...
t3d8prtVxlUd9xp0AEXPOLI1uKQlDKNCOQlHFrINkZbwwg6hmomiFXx5IpfVSb9U
XIqr/cZP7xtD2oiYCJ2giJ7dHLU=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=naturalvape.us
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
...
Notice there's one certificate present with a subject of CN=naturalvape.us
(subject is the "s:" in the display). The issuer is CN=COMODO RSA Domain Validation Secure Server CA
, but that intermediate certificate is missing (issuer is the "i:" part in the display).
To fix this, you need to fetch COMODO RSA Domain Validation Secure Server CA from [Intermediate #2 (SHA-2)] Comodo RSA Domain Validation Secure Server CA.
The intermediate certificate is already PEM encoded. Take your server certificate, and append the COMODO RSA Domain Validation Secure Server CA intermediate. That means there will be two certificates in the file. They will look like:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
Plug that into your site under the server certificate.
Unfortunately, its not enough to add just COMODO RSA Domain Validation Secure Server CA. You also need to add COMODO RSA Certification Authority. Its another missing intermediate certificate. You can get COMODO RSA Certification Authority from [Intermediate #1 (SHA-2)] COMODO RSA Certification Authority.
So they will look like:
-----BEGIN CERTIFICATE-----
<end entity/server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate #2>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate #1>
-----END CERTIFICATE-----
Users (relying parties) will still need to have/trust the issuer of the last missing intermediate (the last missing intermediate is COMODO RSA Domain Validation Secure Server CA). The issuer of the last missing intermediate is CN=AddTrust External CA Root
, and it should be built-in to the browser or one of those cacerts.pem
packs.
Once you concatenate the two missing intermediates certificates with the server certificate (and upload it), you can test as follows.
First, download the trust anchor. Its CN=AddTrust External CA Root
, and it can be found at [KMCS] AddTrust External CA Root.
Second, run openssl s_client
to verify. Notice the addition of the CAfile
option and the "Verify result OK (0)".
$ openssl s_client -connect naturalvape.us:443 -CAfile addtrustexternalcaroot_kmod.crt
CONNECTED(00000003)
...
Start Time: 1407558078
Timeout : 300 (sec)
Verify return code: 0 (OK)