Securing Spiceworks with GoDaddy Certificate - Apache need Intermediate?

adam4703 · 2011-05-23T07:39:55.000Z

I have used the instructions located here: http://community.spiceworks.com/how_to/show/922 to successfully install my GoDaddy cert for securing my spiceworks site, however, when I attempt to connect to it via Blackberry or Android devices, I get a warning that the certificate is not trusted.

I assume this has something to do with the intermediate certificate required for use with their certificates. I installed the intermediate cert to the server in the certificates snap-in, but that does not seem to make any difference.

I do not get any trust issues using firefox, chrome, or IE.

I wonder if it is necessary for me to go through the openssl process for the intermediate in order to get it properly installed on the Apache site. I have no apache experience which is probably obvious by this post!

I appreciate any assistance given!

Adam

alex3031 · 2011-05-23T07:43:50.000Z

Androids may not have the appropriate intermediate authority installed. Hapens with lots of mobile devices.

alex3031 · 2011-05-23T07:47:50.000Z

You should be able to trust the cert on the phone anyways though, or is this going to be an issue for end users?

adam4703 · 2011-05-23T07:56:15.000Z

Most definitely an issue for end users! I am probably going to see if I can get my money back from GoDaddy and buy one from somewhere that doesn’t have the intermediate in the chain.

I will post back what I end up doing so that it will hopefully help others.

adam4703 · 2011-05-23T08:19:28.000Z

I just tried to connect to our OWA URL from my Android and I did not get the certificate warning. The cert securing that site is also from GoDaddy. This leads me to believe that the issue is most likely related to the Apache side of this and not on GoDaddy’s side.

alex3031 · 2011-05-23T09:18:12.000Z

Hmm, did you view the cert on the phone to see the exact reason it wasn’t trusted?

adam4703 · 2011-05-23T09:51:01.000Z

It only says the certificate is not from a trusted authority.

alex3031 · 2011-05-23T09:57:27.000Z

Are you sure the GoDaddy Certificate is the one being presented? Did you buy the same type of certs for your OWA and SPiceworks?

adam4703 · 2011-05-23T10:02:03.000Z

The one for OWA is a SAN cert that contains many different names. The one I’m using for Spiceworks is a straight up old fashioned SSL cert.

When I click to view the certificate it shows the one I just purchased last week and the correct URL name which matches the DNS name used to connect to the site.

alex3031 · 2011-05-23T10:20:01.000Z

This blog (albeit from last year seems to confirm that GoDaddy’s intermediate authority is not installed on Android) http://blog.wiercinski.net/2010/android/android-handsets-do-not-recognise-godaddys-ssl-certificates/

. If the certs are different between your OWA cert and this one it may be signed differently by GoDaddy. I am looking over Apache documentation and the link you used to set it up, combined with the information you presented there is no reason other than not have the proper trusted authority in the store. The cert is being presented by the server, you said you verified that, after it gets served up the ball is in the browsers hands.

adam4703 · 2011-05-23T11:31:44.000Z

I saw that blog post when I began researching the problem, too. It wasn’t extremely helpful, but at least good to know someone else has similar issues…

Is there another place to install the intermediate other than in the certificates snap-in of the server hosting the site? It seems to me like that would be necessary, but since it’s apache there may be something else I’m not aware of.

alex3031 · 2011-05-23T12:30:11.000Z

Actually we are not talking about the CA or intermediate CA on the server hosting the site but the CA on the phone itself. Each phone manufacturer (and this can also vary based on carrier too) has a list of trusted root authorities and Intermediate root authorities that ship on the phone, if you buy an SSL cert and the root authority or the intermediate authority that issued the cert does not exist on the phone the phone will not consider it valid. The only way to rectify this is to install the cert itself as a trusted cert, or install a root or intermediate trusted authority cert on the phone(s). If you do not have control of the phones this may make that solution more difficult for you as each person would have to install the authority cert on the phone themselves, or just accept the annoying warning.

Here are a couple of links to information on installing certs, it appears from a quick once over that if the trusted root and intermediate authority on the phone does not all ready have an entry you cannot add additional ones, you can only import the cert that’s causing the error and trust it.

http://stackoverflow.com/questions/4461360/how-to-install-trusted-ca-certificate-on-android-device

http://stackoverflow.com/questions/3777058/list-of-trusted-ca-in-android

adam4703 · 2011-05-26T06:57:21.000Z

Thanks for your replies, Alex.

I don’t understand why an IIS server with the same type of cert with the same trust chain would not throw up the certificate warning like it does with this site on Apache unless I somehow need to add the intermediate to the site. Does that make sense?

For obvious reasons I do not wish to have to install the certs on all of our mobile devices!!

It just does not make any sense why the behavior between these 2 sites I’m comparing is different when they both have certs issued by the same company with the same trust chain.

alex3031 · 2011-05-26T07:41:36.000Z

Even though they are both GoDaddy certs they may have been signed by different authorities you could find out by looking at the certs themselves they should indicate the signing authority.

adam4703 · 2011-06-01T14:50:13.000Z

They are signed by the same authority.

adam4703 · 2011-06-02T13:09:45.000Z

I have resolved this by doing the following:

I had to edit httpd.conf –

Listen 443

SSLEngine on

SSLOptions +StrictRequire

SSLCipherSuite HIGH:MEDIUM:+EXP

SSLCertificateFile “ssl/ssl-cert.pem”

SSLCertificateKeyFile “ssl/ssl-private-key.pem”

SSLCertificateChainFile “ssl/intermediate.pem” #this line was added

In order to get the intermediate .crt filefrom GoDaddy converted to .pem I used these commands.

openssl x509 -in input.crt -out input.der -outform DER

then

openssl x509 -in input.der -inform DER -out output.pem -outform PEM

I then copied the output.pem file to the SSL directory and renamed it to intermediate.pem to match the config file.

Thanks for your help on this, Alex.

alex3031 · 2011-06-02T13:17:33.000Z

No not much help on my end there, just glad you got it resolved. I am guessing it was the crt, vs pem file issue? I though you had edited the httpd.conf file previously. No matter am happy it is working for you now.

adam4703 · 2011-06-02T13:22:22.000Z

I had gone through the conversion process for the main “named” cert, but not for the intermediate.

It was my suspicion all along that it needed to be “installed” but I just didn’t know how.

stevem · 2012-08-02T06:07:48.000Z

I know this has been a long time since the last posting but this took care of the issue I was having as well! I knew it was something with the intermediate cert, but couldn’t find the info to add it to Apache!

+SPICE!!!