GoDaddy SSL Certificate Issues With Safari

Question

We just got a new SSL certificate from GoDaddy. And, while all browsers are fine with the certificate, Safari gives the following error:

This certificate was signed by an unknown authority.

We are using a chain file in the following config in Apache:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/godaddy.crt
SSLCertificateKeyFile /etc/apache2/ssl/godaddy.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle2.crt

Looking around the web, it seems that others have experienced this issue as well (http://blog.boxedice.com/2009/05/11/godaddy-ssl-certificates-and-cannot-verify-identity-on-macsafari/) But no solution seems to fix the issue.

Does anyone know why this would be caused, or have experience with this happening, and how to fix it?

score 8 · Accepted Answer · answered Nov 19 '09 at 14:56

8

Verify that the correct intermediate certificates are being given out by the server at http://www.sslshopper.com/ssl-checker.html

As martona suggested, you may need to use a different bundle.

answered Nov 19 '09 at 14:56

Robert

1,575
7
7

Tried the ssl checker and everything seems to be fine... – Zed Said Nov 23 '09 at 05:57
What version of Safari and Mac OS X do you have? Maybe an update will help? Check to see if you have the last certificate that is given out by the server in the SSL checker in your MAC OS X keychain. – Robert Nov 23 '09 at 15:49
+1 -- that is a handy tool. – Clinton Blackmore Nov 24 '09 at 17:51

score 2 · Answer 2 · answered Nov 18 '09 at 03:40

You may be using the wrong cert chain. I assume your "gd_bundle2.crt" is the same as "gd_bundle.crt" on this page: https://certs.godaddy.com/anonymous/repository.seam

That gd_bundle.crt chain has a "Go Daddy Class 2 Certification Authority" that verifies up to a Valicert root. I don't think this is valid anymore - GoDaddy seems to issue certs that are signed by "Go Daddy Secure Certification Authority" that is in turn signed by a different, self-signed "Go Daddy Class 2 Certification Authority" - not the Valicert-issued one in your chain, so it has nothing to do with your actual certificate.

Go to the page referenced above, download "gd-class2-root.crt" then download "gd_intermediate.crt". Concatenate the two files (they're just plain text files) into "mybundle.crt" and specify this new file in SSLCertificateChainFile. See if that makes a difference.

@Zed Said, did this work for you? – Stefan Lasiewski Feb 01 '11 at 21:41 — Stefan Lasiewski, Feb 01 '11 at 21:41
I just tried this, and it worked for me... thanks! – Brad Parks Sep 04 '12 at 16:19 — Brad Parks, Sep 04 '12 at 16:19

score 1 · Answer 3 · answered Jul 22 '10 at 14:20

I encountered this issue when adding a StarField (wildcard) SSL certificate to Apache on HPUX when using sf_bundle.crt as my chain cert. I replaced it with the more generic sf_intermediate.crt (from https://certs.starfieldtech.com/anonymous/repository.seam) as the SSLCertificateChainFile, which resolved the Safari "unknown authority" issue for me.

score 1 · Answer 4 · answered Nov 18 '09 at 05:38

1

For some reason Safari doesn't stay up to date with the latest trusted root certification authorities. You can contact customer service and ask them to reissue you a certificate with a different trusted root certificate.

answered Nov 18 '09 at 05:38

Rhett

83
1
8

score 0 · Answer 5 · answered Nov 18 '09 at 03:06

0

Not quite a solution to the actual problem at hand, but it is quirks like this that cause me to always buy my SSL certs from Thawte.

answered Nov 18 '09 at 03:06

Brian De Smet

1,139
7
10

GoDaddy SSL Certificate Issues With Safari

5 Answers5

Linked