Tomcat, OS X, Safari and GoDaddy SSL Certificates
By Adrian Sutton
There’s already a lot of stuff written on the internet about how GoDaddy SSL certificates aren’t recognized by Mac but are by Windows, all of it pointing to “a configuration problem”. I’m not sure how we got such special treatment but none of the instructions I’ve seen work in our particular case.
In case you’re not familiar with it, the problem is that on Mac OS X connecting to the site displays a dialog saying that the certificate could not be validated for an unknown reason. Thanks a heap for that OS X… On Windows it works just fine. The problem turns out to be that the server isn’t configured to provide the full issuing certificate chain all the way back to the root SSL certificate (which is in OS X’s set of trusted roots by default). All around the internet you’ll get instructions saying to make sure that the SSLCertificateChainFile is set to point at gd_bundle.crt (available from GoDaddy’s repository). This doesn’t work with our certificate, not sure why.
The instructions we originally got didn’t mention anything about gd_bundle.crt and instead attached an sf_issuing.crt and told us to use that. This also doesn’t work.
It turns out we have a legacy certificate and that since it was issued GoDaddy have changed their certification chain. So instead of using gd_bundle.crt we should use ca_bundle.crt and otherwise follow the GoDaddy instructions. Then it seems to work with everything and the world is good.
You can then verify it’s all working using OpenSSL:
openssl verify -CAfile ca_bundle.crt -purpose sslserver <your crt file to test>
It should return:
<your crt file to test>: OK
If instead it returns something like:
error 20 at 0 depth lookup:unable to get local issuer certificate
You’re still missing one of the certificates in the issuing chain and are probably using the wrong crt from GoDaddy as the CAfile.
Update
I’ve changed the above to reflect that we’ve now got it all working. It turns out the president of GoDaddy found this post and past it on to Ryan Koski, a systems engineer working with GoDaddy’s SSL certification systems who very kindly got in touch with me and offered to help. I discovered the difference between new certificates and ours while writing up the configurations I’d tried for Ryan. I’d never noticed before because I hadn’t discovered the ValiCert root certificate at the bottom of our certificate chain when I was over at the GoDaddy repository. At that point, we didn’t have the valid chain to the root certificate so obviously browsers didn’t show it.
I must admit I’m also rather impressed by GoDaddy’s dedication, I may not like their advertising or web site much but I do have to admit they have the cheapest SSL certificates I can find anywhere and their customer support is first class.
If you’re having problems with a GoDaddy cert, log a support case because you’ve almost certainly screwed up and they should be able to help you. Yes, this is a hard learnt lesson.