So I've got this job, right. And at this job, we do a lot of website hosting, some of these on "secure" (https) servers. For these servers and their hosted pages to work properly, I need an SSL certificate. Easy enough, right? Haha, I wish.
A couple weeks ago, it comes time that we need to order a new SSL certificate, for a new secure website. We go to Thawte, where we've ordered all of our certificates from before, place an order for a new one, and give them all the information they need. After numerous correspondences and far too much time wasted, it becomes glaringly obvious that we're not going to get a certificate from Thawte anytime soon. Alright, screw them, we'll go with the new trusted name on the internet, GoDaddy. They know what they're doing.
Don't they?
We place the order with GoDaddy and receive our new certificate almost immediately. Wonderful! I'm liking this already. Follow their instructions to install the certificate, all goes smoothly... but just to be safe, before I restart the web server, I run a "configtest", to make sure it likes it.
$ sudo apache-sslctl configtestWonderful. Doesn't work. Hmm well, what if I just comment that line out? Can't hurt too much, right? So I comment the line out.... run a configtest... it's okay! Groovy! Restart apache, and we're up and running! So I open up Firefox, go to the website, it's secured... no problems! Oh wait, just to be safe, I better check it in IE also. Open up IE... bring up the site... what? Can't verify the certificate? What the hell is this? Oh crap. That line that didn't work. GoDaddy provides an "intermediate" certificate for ... whatever stupid reason. That's great. Well, we can't have IE users always getting an error. This just will not do.
Syntax error on line 1213 of /etc/apache-ssl/httpd.conf:
Invalid command 'SSLCertificateChainFile', perhaps mis-spelled or defined by a module not included in the server configuration
Time to call up GoDaddy support, see if they can help out. I talk to the general tech support girl .... she has no idea what I'm talking about, says she has to pass me on to SSL support. Alright, cool. They've got good hold music anyways. A whole bunch of swing/ska music.... I could stay on hold here all day! (And I nearly do....) Several songs and a good while later, I'm talking to an SSL support guy. I describe the problem to him... he thinks for a minute... asks a few basic questions.... and then decides that I need to re-generate the key.
Woah. Hold on. What?
I tell him the problem again. Still he insists that I should regenerate the key. Okay, I'll try a different approach. I ask him if GoDaddy can possibly create a key WITHOUT the intermediate key. Apparently this thought is blasphemous in his world, and quite an impossible feat. Lovely. I ask for his recommendation on the stipulation that our web server, for some reason, doesn't support using an intermediate key. "Uh.. well.. you should regenerate .... " oh wow, I can see this is getting nowhere fast. Okay okay, another approach.. quick. I ask him if he thinks I might need to upgrade OpenSSL. We've got a 0.9.7 version... that sounds relatively up to date, but I'm not sure how recent. Maybe this is just something not supported there. At which point he lays this whopper on me: Apparently, the GoDaddy servers, are running OpenSSL 1.3. Ahem. coughcough.
The current version is available from http://www.openssl.org. OpenSSL 0.9.8b was released on May 4th, 2006.Well hello Mr. Future Man! What's it like to be in the year 2025? I'm done with this fool. GoDaddy's support is USELESS. I guess I'll have to do some more creative Googling. Eventually, I come across this site. Exactly what I've been needing from the beginning. This confirms my suspicions that GoDaddy's documentation and tech support is lacking. We're using another (apparently widely used) ssl package. And what it all comes down to is changing the directive for that line. So instead of having "SSLCertificateChainFile", I use "SSLCACertificateFile" .... and then it works perfectly! Shiny!
*sigh* The trials of working in an undocumented environment.
2 comments:
See comment on
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=264
This line doesn't work on Apache/1.3.33 Ben-SSL/1.55 (Debian GNU/Linux):
SSLCertificateChainFile /etc/ssl/crt/yourSERVERNAME.ca-bundle
This one is an alternative for that version:
SSLCACertificateFile /etc/ssl/crt/yourSERVERNAME.ca-bundle
This solved the problem for me in apache 1.3 (I suppose upgrading to apache 2.2 is a better solution though)
SSL certificates can provide you with non-forgeable proof of your website's identity, and customer confidence in the integrity and security of your online business.Buy RapidSSL , VeriSign , GeoTrust and Thawte SSL Certificates at wholesale price from ClickSSL.com
Post a Comment