SSL chain verification problems

Posted on

SSL chain verification problems – Problems with loading a website are often blamed on the Internet connection, but even the most perfectly set up network cannot help if there is no service to reply at your destination. One of the most popular HTTP servers used for this task is Apache2. Much of Apache’s popularity can be attributed to its easy installation and use, but never the less it is possible to run into problems with even the easiest of the software. If you’ve encountered an issue loading your web page, follow these simple troubleshooting methods outlined in this guide to attempt to get your web server back up and working again. Below are some tips in manage your apache2 server when you find problem about apache-2.2, ssl, godaddy, , .

I’ve installed a new SSL certificate using SHA2 hashing instead of SHA1. My chain checks out using these online verifiers:

However this one tells me it can’t find the Root CA:

How do I fix this?

Edit: Derp, here’s the URL: secure.symt.us

This is on Apache2 on CentOS.

I have followed GoDaddy’s setup instructions to the letter and restarted the server.

Edit 2, apache vhost conf:

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2.crt

==== [SOLVED] ====

The problem turned out to be that my vhost was defined as <VirtualHost *:443>. Changing it to the server’s IP address <VirtualHost xx.xx.xx.xx:443> fixed it.

There was a catch-all default <VirtualHost _default_:443> albeit without an SSLCertificateChainFile directive. Grepping /etc/httpd for SSLCertificateChainFile returned only my directive.

Perhaps apache has its own default SSLCertificateChainFile internally and refused to send mine when configured as *:443?

You’re missing the certificate chain. Follow GoDaddy’s Instructions, make sure you install their Intermediate certificates (commonly called a chain, or bundle as well)

GoDaddy supports Internet Censorship. You should seriously reconsider funding them. Especially when you can get SSL Certificates for Free.


For Apache 2.2.x, you need all three of the following (for a standard configuration)

SSLCertificateFile /path/to/public/key_file
SSLCertificateKeyFile /path/to/private/key_file
SSLCertificateChainFile /path/to/chain/file

You’re likely missing that last one.

Your server is not properly configured to send the required intermediate certificate. See this answer for a more detailed description of why this is a problem, and why you (or even some SSL verifiers) may not notice it during testing.

The missing certificate in your case is http://certificates.godaddy.com/repository/gdig2.crt.

The SSL Labs online test shows this problem as a warning (and, BTW, finds several other problems with your server configuration).

I have the same trouble, when I see the site with Android the page show an error
of the certificate.
I test the page with https://www.sslshopper.com/ssl-checker.html
and the chain is broken, after a few tests I use this certificate http://certificates.godaddy.com/repository/gdig2.crt like intermediate certificate
for this property SSLCertificateChainFile.
All my hosts are configurated with and
And this works perfect.

Leave a Reply

Your email address will not be published. Required fields are marked *