30 April 2012

Android & iPhone doesn't accept GoDaddy certificates without SSLCertificateChainFile

I've found that Android and iPhone doesn't accept GoDaddy SSL certificate, which is valid in all desktop browsers. Also, if you click "View certificate", you'll find that certificate is correct, however authority is not trusted. I was thinking that such behavior is linked to the fact, that SSL port configured in SNI mode (single address+port pair used by several HTTPS domains). SNI feature isn't supported by some browsers, but.. I've just ignored one configuration option which is suggested by GoDaddy in official manual:

SSLCertificateFile /path/to/your/certificate/file
SSLCertificateKeyFile /path/to/your/key/file
SSLCertificateChainFile /path/to/intermediate/bundle/file

# source: http://support.godaddy.com/help/5238 

The source issue: GoDaddy isn't added to trusted authorities list on mobile platforms. It's fixable by specifying cert chain file in httpd.conf
Good luck with secure connections!

4 comments:

  1. Thanks for sharing this, I've spent a few hours jumping up and down trying to find a solution! Just out of interest, my web host is telling me I have to " rekey the certificate" which could take up to 72 hours, and will affect my desktop users.

    Is this the case, or is it a simple fix where all that is required is a simple edit to the server's httpd.conf ?

    Again, huge thanks for sharing!

    ReplyDelete
  2. This fix helps of iPhone/Android how check that certificate is valid by providing information about chain like:
    Your cert -> GoDaddy -> (some other certification company) -> CA, already trusted by iPhone/Android

    It will help right after apache config reload.

    "rekey the certificate" - does it mean private key regeneration or what?

    ReplyDelete
  3. All that's required for this is a simple config file edit. Your webserver will need to start sending the intermediate cert along in the response, which it didn't do initially.
    Once the GoDaddy intermediate cert is sent, the SSL chain is completed and Android/iOS will accept the SSL certificate.

    You shouldn't have to regenerate/'rekey' your certificate for this to work.

    ReplyDelete

Profile