The company I work for ran into a small problem with an SSL certificate from GoDaddy. For some reason it worked flawlessly on most machines but a fresh install of Firefox and most smart phones didn’t like it at all. Asking the GoDaddy support was a rather long waste of time. They actually told me it was installed correctly which sent me off track immediately.
After running around and already considering going with another (much more expensive) certificate, I stumbled across DigiCert’s SSL Certificate Tester. Entering the hostname for the certificate checked it and voila, I found something wrong. Between the server certificate and the intermediate certificate there was a break in the chain. Why this worked still on my browser (without installing the certificate) and many others, but not on a fresh install is still not exactly clear, but that clearly was a problem. Without a proper chain, the browser would show nasty messages about this page not being secure and so on. Some of the customers are banks so they were not very happy about that message, considering this was a new feature for the page that should increase security not decrease it.
So I went back to the GoDaddy page and looked everything over again. The installation instructions lead to how to install them on apache. Now considering everything else went right, there is one specific point where it failed. The instructions tell you to get the intermediate certificate bundle from their repository and then point to that file on your server using the SSLCertificateChainFile directive. Browsing to that page shows you a lot of files, and if you have no other pointers it might get slightly confusing.
For apache, what you need is the file called gd_bundle.crt to have the correct one. It’s in the first section of the page called “Godaddy Certificate Chain”. Save it on your server, point the SSLCertificateChainFile directive to it and you are all set. If you use a different file, say for example one of the lower ones, you get these chain breaking effects.
A flaw in the directions in my opinion, but hopefully this post will remedy some of it for people running into the same troubles.
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
You must be logged in to post a comment.