GoDaddy SSL Certificates and Cannot Verify Identity on Mac/Safari
Last weekend we set up SSL support for our server monitoring application, Server Density. We used GoDaddy.com to purchase the wildcard certificate because they have the cheapest prices but after installing, Safari popped up with this error:
Safari can’t verity the identity of the website “boxedice.serverdensity.com”. The certificate for this website was signed by an unknown certifying authority.
It works fine in Firefox on Mac but not Safari. Aparrantly it also works fine on Windows. Since we work on Macs and use Safari, there was no way we weren’t going to get this resolved!
I searched Google and found this blog post which explains the problem, although it is not very clear about the fix.
The problem turns out to be that the server isn’t configured to provide the full issuing certificate chain all the way back to the root SSL certificate (which is in OS X’s set of trusted roots by default).
When I downloaded by GoDaddy certificate, it had my regular .crt file but also a gd_bundle.crt file. I didn’t know what this was and there were no instructions on the GoDaddy site explaining what to do with it, so I ignored it.
To fix this, you need to use gd_bundle.crt and provide it as an option for SSLCertificateChainFile in Apache in your SSL config files:
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.serverdensity.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.serverdensity.com.key
SSLCertificateChainFile /etc/httpd/ssl/gd_bundle.crt
We’re living in parallel universes. I’ve also just installed a Godaddy cert for one of my sites (you’re not setting up a payment gateway by any chance are you?).
Just for the record, I went for the ‘normal’ certificate, not the wildcard. I just checked in Safari and my cert seems to work fine. I conclude that the issue is ‘just’ with the wildcard certs then. Either that or IIS (don’t hold it against me, I have my reasons…) is handling this particular issue differently than Apache.
I didn’t mention it but the same issued applied for the regular certificate for http://www.boxedice.com as well. Perhaps it is due to ISS / Apache differences.
I experienced this problem this week. I have two subdomains, each with a GoDaddy certification. Mac Safari trusted one, but not the other.
Ends up that the Netgear ProSafe VPN Firewall FVS336G that I installed the GoDaddy certification is unable to provide the full issuing certificate chain all the way back to the root SSL certificate, even though I have installed the gd_bundle.crt on the Netgear.
I’ve invested a week in setting up SSL VPN on this Netgear with many hours of tech support on the phone. If anyone is considering this product, I don’t advise it.
Thanks for sharing this tip.
This issue is usually caused by issues with not installing the intermediate certificates (root certificates as referenced). The intermediate certificate can be downloaded by clicking on the link embedded in the email message you receive upon certificate issuance. It is also available from the repository on http://certificates.starfieldtech.com/Repository.go. The Godaddy root certificate – the Valicert Class 2 Policy Validation Authority – is installed in the following browser versions:
-Internet Explorer 5.01 and higher
-AOL 5 and higher
-Netscape 4.7 and higher
-Opera 7.5 and higher
-Safari on Mac OS X 10.3.4 and higher
-Mozilla (all versions)
-Firefox (all versions)
-Konqueror (all versions
-Palm OS 6.1 and higher (also Treo 650)
-BlackBerry OS 4.1 and higher
-Sony Playstation Portable 2.5 and higher
-Microsoft Windows Mobile 2005 AKU 2 and higher
-Sun Java Runtime (JRE) 1.4.2_07 and higher and 1.5.0_02 and higher
-ACCESS NetFront 3.3 and higher
-Cingular WAP Gateways (any Cingular phone which uses WAP version 1.X for Web browsing)
*Many Nokia devices manufactured in 2007 and later
Apple iPhone (both EDGE and 3G)
I had similar problem with Comodo (InstantSSL.com) and I was using NginX and couldn’t find a way to include Cert Chain File (ca-bundle etc.). So I appended the ca-bundle file to the certificate and used that as my certificate file.
I.e.
crt + ca > crt
cp domain.com.crt comodo.ca-bundle > domain.com_ca.crt
And in Nginx config:
ssl_certificate /etc/ssl/certs/domain.com_ca.crt;
ssl_certificate_key /etc/ssl/private/domain.com.key;
Fantastic. This is exactly the problem I was having and this solution is just what I needed.
Thanks!
On NGINX you just need to append the cert bundle onto your existing cert:
$ cd /etc/ssl/certs/
/etc/ssl/certs$ wget https://certs.godaddy.com/repository/gd_bundle.crt
/etc/ssl/certs$ cat gd_bundle.crt >> myssl.crt
http://wiki.nginx.org/NginxHttpSslModule
The problem now also exist for GeoTrust certificates, that are now chained instead of single root. A quick way to test if the server is responding correctly with intermediate certificates is to test the website/server with an online ssl tester like http://www.ssltest.net. Most administrators miss this problem, because alot of browsers automatically fix this problem by downloading the intermediate for the user.
Perfect! Thanks for this- just the solution I needed.