Godaddy SSL Chain Certificate not recognized

[Dalma]

Hi all,

I have searched the complete forum whether someone is having the same problem. Installing a certificate shouldn't be that hard, and it isn't if you ask me following the instructions on: http://www.site-helper.com/ssl.html

I have generated a 2048-bits request. Pasted the certificate I got from Godaddy under the key and saved the whole thing.

Then pasted the bundle (chain/intermediate) certificate into the root certificate box, checked "Use a CA Cert." and saved once more.

Success message received, so you think everything is OK now.

Unfortunately it isn't. There are no problems with the major browsers (IE, FF, Chrome), however I do get a warning on Safari (Mac) that the certificate is not trusted.

I used three different SSL tools, to check whether something is wrong:
http://certlogik.com/sslchecker/
http://www.networking4all.com/en/support/tools/site+check/
http://www.sslshopper.com/ssl-checker.html

The certificate is OK, the only problem is that the Chain certificate is not recognized, as it fails to verify the certificate to a trusted root.

So I checked the custom httpd configuration; and guess what... it is there.

<VirtualHost ip-address:443 >

	SSLEngine on
	SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
	SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
	SSLCACertificateFile /usr/local/directadmin/../domain.com.cacert
...
</VirtualHost>

I verified whether the SSLCACertificateFile actually exists on the server, and it is exactly in the location as mention in the custom httpd.

Can someone please tell me what might be wrong or at least point me in the right direction as I am losing my mind here?

Thanks in advance,
Richard

 

[Arieh]

I'm no expert on these things, but I had to add a SSLCertificateChainFile in the httpd configuration to make it go to these tests (not godaddy btw). You there need to provide the chain file of the issuer.

 

[Dalma]

Hi,

Thanks for your response Arieh.

If you search the forum for "Godaddy SSL", you will get a large number of posts. I have read them all, and only some suggest to make changes to the httpd, while most point out that this is not necessary. On the other hand the Godaddy help files describe to add the following directive besides the certificate and key:

SSLCertificateChainFile /path to intermediate certificate/null

The only problem is, I am running Apache 2 and the configuration of Secure Connections is included in httpd-ssl.conf. When checking httpd, there is a line that says;

# Do not change anything in included files, because they are rewritten by DirectAdmin #

I viewed httpd-ssl.conf and I can see the SSLCertificateChainFile is checked.

Nonetheless, I have unchecked it and inserted the correct path. After restarting Apache, nothing has changed... using third party SSL tools the warning remains that there are no intermediate certificates installed.

Surely, there must be a way to add the SSLCertificateChainFile via DirectAdmin?

Thanks for your help,
Richard

 

[Arieh]

I don't have it placed in httpd-ssl, but indeed in DirectAdmin, under Custom HTTPD Configurations -> then your domain.

Then only insert

SSLCertificateChainFile /path

 

[Dalma]

I have tried that as well, but to no avail. Still get a warning message when using the SSL tools. Also tested with Safari on Mac, iPhone and Android smartphone; all give a warning message that the certificate is not valid.

Not sure what to do anymore...

 

[Dalma]

Admin, please move post to Technical Questions

Sorry for the wrong forum.

 

[Arieh]

What I notice in your first post in the virutalhost, is that at SSLCertificateFile and SSLCertificateKeyFile you have server certificates. These are probably the default ones. I looked at my custom httpd:

	SSLEngine on
	SSLCertificateFile /usr/local/directadmin/data/users/admin/domains/mydomain.tld.cert
	SSLCertificateKeyFile /usr/local/directadmin/data/users/admin/domains/mydomain.tld.key
	SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/mydomain.tld.cace

I think it doesnt have the right certificate configured (or did you edit the server certificates)?



Under SSL Certificates @ that user, you need to check and paste the certificate in "Paste a pre-generated certificate and key" along with the private key (which probably stands there already)

So there you need something like this

-----BEGIN RSA PRIVATE KEY-----
<the key here>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<the godaddy cert here>
-----END CERTIFICATE-----

At least thats what I think. There are different types of certs out there.

 

[Dalma]

I have done it exactly according to the direct admin help files (as you are describing).

Thanks for pointing out the virtual host "issue" though, because it brings me one step further to the solution. I have noticed that the domain name is linked to my admin account, which might be causing all these problems.

I will report back to you as soon as this is fixed.

 

[Arieh]

Not sure if we understand each other correctly, but the virtual host in my latest post was at my server.

This is what you posted:

<VirtualHost ip-address:443 >

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCACertificateFile /usr/local/directadmin/../domain.com.cacert
...
</VirtualHost>

and this was mine

SSLEngine on
SSLCertificateFile /usr/local/directadmin/data/users/admin/domains/mydomain.tld.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/admin/domains/mydomain.tld.key
SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/mydomain.tld.cace

 

[nobaloney]

Is the domain set up under the admin account? If so, then it's a special case. Instructions can be found here

Jeff

 

[Dalma]

Thanks so much Jeff, that was exactly what I was looking for!

...and thanks Arieh for all your help, which pointed me in the right direction.

Finally, I can sleep well tonight