User profile for user: ilouis
ilouis Author
User level: Level 1
4 points

Godaddy SSL certificate installation problems - intermediate certificate not being recognized

domain = mail.gottfried.org


Installed both the certificate and the intermediate certificate from godaddy (used the 10.6 mac os x version)


Response from:


http://www.sslshopper.com/ssl-checker.html#hostname=mail.gottfried.org


The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.


When I check in 0000_any_443_.conf


I see:


SSLCertificateFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. cert.pem

SSLCertificateKeyFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. key.pem

SSLCertificateChainFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem


I am assuming that the intermediate certificate should be:


mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.chain.pem


When I look at that certicate it is the same as


mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.cert.pem


When I check keychain and exported both the mail.gottfried.org certificate and also the starfield secure certification authority they match what was installed initially (what I downloaded from Godaddy).


It looks like in the install process the intermediate certificate is not being linked to the ssl certificate and that the ssl certificate is being used for the chain.


Anyone have any suggestions?


I have talked to both Godaddy and Apple Enterprise support. Godaddy has nothing past 10.6 instruction wise (though the support person really tried to help). The Apple rep couldnt really help and if I really want help from them I need to talk to integration where costs start at $700....


Anyone have an SSL provider that worked properly with 10.8 or has really good support for mountain lion server?


Please let me know.


Thanks!


Mac mini (Mid 2011), OS X Server, 10.8.4 Server 2.2.1

Posted on Aug 28, 2013 6:21 PM

Reply
2 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,857 points

Aug 29, 2013 7:56 AM in response to ilouis

While you still can, get a refund for the certificate, and get a certificate from somebody else, and preferably one that doesn't need an intermediate? That'll be the easiest.


If you're not doing ecommerce or otherwise dealing with web browsers and remote clients that you don't have some control over or affiliation with, you can use a private certificate and get equivalent (or arguably better) security. Running your own certificate authority does mean you'll learn more about certificates, though.


Here and here are general descriptions of getting certificates and intermediate certificates loaded, and some troubleshooting here and particularly here (TN2232). I have found exiting Keychain Access to be a necessary step on various versions. It shouldn't be, but...


FWIW and depending on your particular DNS setup and whether you're serving multiple web sites, you'll need a multiple-domain certificate.


Full disclosure: I've chased a few of these cases around for customers, and it can take an hour or three to sort out what the particular vendor of math, err, certificates has implemented, to confirm the particular certificate formats and possibly convert the certificates where necessary, and to generally to sort out the various posted directions and confusions. (I'm not particularly fond of any of the major math, err, certificate vendors, either.)

Reply
User profile for user: ilouis
ilouis Author
User level: Level 1
4 points

Aug 29, 2013 10:28 AM in response to MrHoffman

Sigh... I am not sure what happened but it appears like its working now. I did 2 things one is setup a fully qualified domain for mail.gottfried.org (as a website) and then I deleted and reinstalled the intermediate certificate. This did not provide any immediate results (I did not see /etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem update). Secondly I enabled root and was going to manually cut and paste the correct intermediate certificate contents into /etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem but when I checked the file the right contents were in there now...


So I am guessing some weird caching was going and the finder was not updating with new contents? Or else it too a while for server.app to update chain file?


Anyway I am going to leave it alone for now. Check again in a few hours and see if I can get gmail to be happy with the SSL.


Thanks for all the suggestions... I am guessing adding the fully qualified domain as a website did the trick.


Louis

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Godaddy SSL certificate installation problems - intermediate certificate not being recognized

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up