Bloggit's Journal - Authorizing GoDaddy SSL Certificates

About Authorizing GoDaddy SSL Certificates

Profile
bloggit

Page Summary

[#] Thank you!

Navigation

The Task

I have, for many years, used a self-signed SSL Certificate to encrypt data to/from my website, especially webmail. Back then (2004), SSL was not commonly supported for email, so this was pretty novel and high-security. But jumping forward four years, my self-signed certificate was expiring anyhow and my wife's iPhone isn't so fond of self-signed certs, so I decided to combine the addition of SSL to the POP3/SMTP with getting a fully-authenticated cert. Which, given the use and price, meant GoDaddy, where a 5-year cert can be had for about $90. Yeah, that's $90 more than signing my own, but in theory connecting browsers and email programs shouldn't squawk about it either.

In theory.

In practice, while Opera and Internet Explorer come knowing about GoDaddy, Firefox and Thunderbird do not. And therefore presumably several other devices also don't. They gripe that GoDaddy is an "Unknown Authority"... rather than silently accepting it. So the bulk of this entry is about overcoming that problem.

Background

SSL Certificates are basically encryption packets referencing other encryption packets, up a tree of trust. It's a bit like asking for references... "John, do you trust Tim?", "Jerry, do you trust John?". Your web browser knows a few top-level authorities, but certainly not a comprehensive list. So when you hit a new SSL certificate, your browser (or SSL library) checks it against the browser's own list of trusted authorities.

You can view the list of authorities in your browser pretty easily:

Firefox: Options - Advanced - View Certificates - Authorities.
Opera: Tools - Preferences - Advanced - Security - Manage Certificates - Authorities
IE7: Tools - Internet Options - Content - Certificates - Trusted Root Certificates and Intermediate Certification Authorities.

If you have both Firefox and Opera or IE7, you can see that GoDaddy has a 2004 certificate in the Authorities table in Opera and quite a few entries in IE7 (which seems extremely comprehensive, the one area where Vista became less annoying), but no such certificate in Firefox. (A Starfield certificate exists in both Opera and Firefox, which would seem helpful since Starfield is GoDaddy's parent company, but since GoDaddy's certificate chain for the certs they send out aren't related to Starfield as a root authority, this winds up not mattering.)

So the trick is to provide a chain of references from your new certificate up through GoDaddy, all the way up to a trusted authority that Firefox already knows about. Otherwise each new user will be warned about the site, and can choose whether to accept the certificate.

We will do this by including the certificate "chain".

The Process

The first part of this process starts with the certificate acquisition. If you already have your certificate, just jump past the first few steps. You will want the OpenSSL package either way though.

Purchase an SSL Cert from GoDaddy.
"Use" the TurboSSL Certificate. You will have to fill out a form with way too much personally-identifying information. Don't worry about it; it doesn't wind up in the key.
Use your private key (generate if needed) to create a certificate request.
openssl.exe req -new -key private.key -out my.domain.csr
Fill in the form as needed. You can leave a lot of it blank. This is the data that winds up in the key. Be certain to put the actual server name, including any www. or mail., in the common name field!
GoDaddy will send a confirmation email to the registrants for the server. If you have private (hidden) registration, the email may take an hour or so to arrive, assuming you don't greylist or spamblock it. This has a link in it that at least one registrant (admin or tech) must follow and confirm.
Immediately there-after, your new certs will be generated and a link sent to your email address. You must download them from GoDaddy at the link.
You may either create a PEM File - combining the private key and the certficate into one - or point to both separately.
1. : Creating the PEM:
  
  GoDaddy delivered a CRT file. Build the PEM as a text file by putting your private key followed by your certificate in. The result looks like:
  
  -----BEGIN RSA PRIVATE KEY-----
  13 or so uuencoded 65-character lines.
  -----END RSA PRIVATE KEY-----
  -----BEGIN CERTIFICATE-----
  25 or so uuencoded 65-character lines.
  -----END CERTIFICATE-----
  
  This file is referenced in Stunnel.conf:
  cert=my_cert.pem
2. Configuring the files separately:
  In STunnel.conf, set:
  cert=(the crt file from GoDaddy)
  key=your_private.key
Firefox/Thunderbird

Most browsers will now work with the site because they know about GoDaddy/Starfield as root authorities. But Firefox/Thunderbird don't. So we need to get the chain working.

Use the command:
openssl s_client -connect my.server.name:443
to dump out the data. The Certificate Chain is right before the Server Certificate. (When testing SSL POP3, use the port 995 instead of 443 of course.)

Here's where that PEM file (Section 7.a) comes in handy. STunnel doesn't appear to obey the CAfile directive, but you can paste the GoDaddy certificates (from gd_intermediate_bundle.crt) into the same PEM file after your key and certificate, and the entire chain will work.

To accomplish the same thing with Apache serving,...
- Place the PEM file created in step 7.a into your Apache/conf/ssl directory
- Place the intermediate chain file (gd_intermediate_bundle.crt or gd_full_bundle.crt) into the the Apache/conf/ssl directory.
- Reference both files in the Apache/conf/ssl.conf file:
  SSLCertificateFile conf/ssl/your.server.name.pem
  SSLCertificateChainFile conf/ssl/gd_intermediate_bundle.crt
- Restart the Apache service.
In our case, we tossed the valicert_class2_root.crt root certificate for GoDaddy into the intermediate bundle, as it wasn't there, and renamed it "gd_full_bundle.crt". But that's just our style when struggling with a problem. Never settle for mere overkill!
Email Setup
To configure stunnel for SSL-POP3 (POP3S) and other SSL email, a second file is needed: stunnel.cnf. This one is very straight forward, with one small gotcha.
The typical file will look like this:
client=no [sslpop] accept=995 connect=110 [sslimap] accept=943 connect=143 [sslsmtp] accept=465 connect=25
That's all you need, as long as your firewalls and routing tables are correct. The gotcha is that the following is more intuitive:
# Commented out protocols are because TLS is not supported by ISMail. So we use SSL alone.
client=no [sslpop] accept=995 connect=110 protocol=pop3 [sslimap] accept=943 connect=143 protocol=imap [sslsmtp] accept=465 connect=25 protocol=smtp
But the protocol lines essentially invoke TLS instead of SSL. Which is fine, but only as long as the mail server is expecting it. You may be able to get that to work, but with the server I'm using, it didn't.
Other notes: You can typically reach a server by name or by number. In a small network, it's often seductive to simply refer to them by number in the web pages to simplify routing and DNS management. Unfortunately that's not compatible with SSL. The "Server Name" checked is the reference.
Resources
- The GoDaddy Certificate Repository

That's it. Not a huge task, but annoying when bumping into multiple hurdles, enough to deserve a few drinks. Happy New Year!

Leave a comment

From:	(Anonymous)
Date:	March 7th, 2008 03:01 am (UTC)

Thank you!

(Link)

Thank you for this post! I have been so frustrated with my GoDaddy certificate not being verified in Firefox. This did the trick wonderfully.

(Reply to this) (Thread)

(Leave a comment)