2

I have moved a website to another server and I have an SSL certificate from godaddy. SSL was working fine on an old server, maintained by my predecessor. Now on a new server I've regenerated the certificate following godaddy's instructions and I have modified ssl.conf file as instructed, but when I go to the part of the website that's supposed to support SSL I still get that "untrusted certificate". If I add it as trusted, everything works fine, but it looses the point of trusted certificate.

What's even more weird is that on the old server ssl.conf file is default, so how come the certificate is working fine on it then? Are there any other ways to install SSL certificate than modifying ssl.conf?

Changes that I made to the ssl.conf:

<VirtualHost *:443>
DocumentRoot "/var/www/vhosts/domain.com/httpdocs"
ServerName www.domain.com:443
SSLCertificateFile /var/www/vhosts/domain.com/private/domain.com.crt
SSLCertificateKeyFile /usr/bin/domain.com.key
SSLCACertificateFile /var/www/vhosts/domain.com/private/gd_bundle.crt
<Directory "/var/www/vhosts/domain.com/httpdocs">
    AllowOverride All
</Directory>

Is there something I'm doing wrong?

==================================================================================

UPDATE: as suggested, I added the line to enable godaddys bundle certificate in my ssl.conf:

SSLCertificateChainFile /var/www/vhosts/domain.com/private/gd_bundle.crt

and commented out the line:

#SSLCACertificateFile /var/www/vhosts/domain.com/private/gd_bundle.crt

Everything is still the same, certificate is untrusted...

UPDATE2: I accepted the certificate and viewed it, and it's not mine, it says "Plesk" is the owner. For some reason Plesk is stuffing it's certificate, can I remove it somehow? Sorry for confusion...

UPDATE3: I looked at ssl_error_log and this is what it says:

[Sat Sep 03 12:37:36 2011] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?

What's that suppose to mean?

UPDATE4: If I change

<VirtualHost *:443>

to

<VirtualHost www.domain.com:443>

when I try to access the page the browser pops up the open/save dialog for php source file?!? This is just insane...

Caballero
  • 171
  • 2
  • 2
  • 12
  • I'm afraid my feeling is that you have bigger config issues than an SSL certificate chain, and until you can isolate individual problems, this may not prove a fruitful discussion. – MadHatter Sep 03 '11 at 13:29
  • Could you have your browser configured to go through an SSL Proxy? – HTTP500 Sep 03 '11 at 14:23
  • (re: update 4) Why'd you do that? Turning off name based virtual hosting for that block is just going to make that configuration not apply - and cause other config to be used, which is just serving the PHP instead of running it. Don't mess with your `VirtualHost` definition. On the whole issue.. what validation problem does the browser have with the certificate? – Shane Madden Sep 03 '11 at 21:10

2 Answers2

2

It looks as if Godaddy, like many SSL issuers, use an intermediate certificate that must be served by your SSL server in order for the chain of trust to be complete.

In essence, instead of signing your CSR with a certificate which is itself in the public bundle known to most browsers, they sign your CSR with a certificate of their own; this certificate of theirs is in turn itself certified by one of the certificates in the browsers' public bundle to sign anything.

There are good reasons to do this, but the upshot is that when you serve your certificate to people in the SSL handshake phase you have to serve a copy of godaddy's signing certificate at the same time. Then the browser can say to itself "the site certificate is signed by this intermediate godaddy certificate, and the intermediate godaddy certificate is signed as 'OK to sign other things' by eg Equifax/Thawte/Verisign/some other top-level authority whom I trust", and the browser is happy. If the browser doesn't get that intermediate certificate, it can't connect the chain of trust, and it isn't happy.

Godaddy have a chain certificate installation instruction page for apache at this help page.

Edit: it sounds like your SSL config has more than what you wrote. You can't just add config to apache and expect it to work, you have to remove anything that conflicts. Try

find /etc/http/conf -type f -exec grep -i sslcertificatefile {} /dev/null\;

(replacing /etc/http/conf with your apache config root, if you keep it elsewhere) and see where the plesk certificate is configured in. Commant that section out and try restarting apache.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • My explanation above should tell you **what** the intermediate certificate is. **Where** it is is on the help page I pointed you to, as are instructions for installing it (yes, using the `SSLCertificateChainFile` directive). – MadHatter Sep 03 '11 at 10:18
  • Try `gd_intermediate.crt` instead. If that fails, try `gd_cross_intermediate.crt`. – MadHatter Sep 03 '11 at 10:29
  • It seams that the problem is that I get to accept Plesk's certificate instead of mine, this is even more confusing... – Caballero Sep 03 '11 at 10:30
  • there are no duplicates, however there is an error in ssl log file ->UPDATE3 – Caballero Sep 03 '11 at 11:45
1

Maybe you need the SSLCertificateChainFile option inside your VirtualHost. You should find more information at you SSL Provider Homepage.Have a look at https://certs.godaddy.com/anonymous/repository.seam

Izac
  • 1,758
  • 1
  • 11
  • 11