No need to hide your domain name, it's in the pem file And I see
that
$ openssl verify -CApath /etc/ssl/certs ert.pem
gives a failure too.
But I think I know the reason now. There are two GoDaddy certificates, a
root CA ("Go Daddy Class 2 Certification Authority") and an intermediate
one ("Go Daddy Secure Certification Authority"), which is signed by the
root one.
$ openssl x509 -in /etc/ssl/certs/UbuntuOne-Go_Daddy_CA.pem -noout
-subject -issuer
subject= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
issuer= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
Certification Authority
$ openssl x509 -in /etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem
-noout -subject -issuer
subject= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
Certification Authority
issuer= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
Certification Authority
$ openssl verify /etc/ssl/certs/UbuntuOne-Go_Daddy_CA.pem
/etc/ssl/certs/UbuntuOne-Go_Daddy_CA.pem: OK
And your certificate is signed by the intermediate one:
$ openssl verify -CAfile /etc/ssl/certs/UbuntuOne-Go_Daddy_CA.pem
ert.pem
ert.pem: OK
Now, you can see that the /etc/ssl/certs directly doesn't have a hashed
entry pointing to the intermediate CA cert:
$ ls -l /etc/ssl/certs | grep -i daddy
lrwxrwxrwx 1 root root 23 2009-12-19 19:55 219d9499.0 ->
Go_Daddy_Class_2_CA.pem
lrwxrwxrwx 1 root root 58 2009-12-19 19:55 Go_Daddy_Class_2_CA.pem
-> /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
-rw-r--r-- 1 root root 1778 2009-10-12 15:24 UbuntuOne-Go_Daddy_CA.pem
-rw-r--r-- 1 root root 1449 2009-10-12 15:24
UbuntuOne-Go_Daddy_Class_2_CA.pem
but actually that's correct. It's the web server's responsibility to
send both its own certificate and the intermediate certificate back to
the client. The client needs to locate only the root certificate locally
to validate the whole chain.
You need to configure your webserver to send both your server's
certificate and the intermediate CA certificate. For Apache, there is
some brief information here:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC39
If that's not sufficient, and it is Apache you're using, I can dig out
some working configs.
If it worked on the Mac, it's because the Mac has wrongly included the
GoDaddy intermediate certificate in its set of trusted root
certificates.
Regards,
Brian.
···
--
Posted via http://www.ruby-forum.com/.