can't install ssl certificate on apache
I have moved a website to another server and I have an SSL certificate from godaddy. SSL was working fine on an old server, maintained by my predecessor. Now on a new server I've regenerated the certificate following godaddy's instructions and I have modified ssl.conf file as instructed, but when I go to the part of the website that's supposed to support SSL I still get that "untrusted certificate". If I add it as trusted, everything works fine, but it looses the point of trusted certificate.
What's even more weird is that on the old server ssl.conf file is default, so how come the certificate is working fine on it then? Are there any other ways to install SSL certificate than modifying ssl.conf?
Changes that I made to the ssl.conf:
<VirtualHost *:443>
DocumentRoot "/var/www/vhosts/domain.com/httpdocs"
ServerName www.domain.com:443
SSLCertificateFile /var/www/vhosts/domain.com/private/domain.com.crt
SSLCertificateKeyFile /usr/bin/domain.com.key
SSLCACertificateFile /var/www/vhosts/domain.com/private/gd_bundle.crt
<Directory "/var/www/vhosts/domain.com/httpdocs">
AllowOverride All
</Directory>
Is there something I'm doing wrong?
==================================================================================
UPDATE: as suggested, I added the line to enable godaddys bundle certificate in my ssl.conf:
SSLCertificateChainFile /var/www/vhosts/domain.com/private/gd_bundle.crt
and commented out the line:
#SSLCACertificateFile /var/www/vhosts/domain.com/private/gd_bundle.crt
Everything is still the same, certificate is untrusted...
UPDATE2: I accepted the certificate and viewed it, and it's not mine, it says "Plesk" is the owner. For some reason Plesk is stuffing it's certificate, can I remove it somehow? Sorry for confusion...
UPDATE3: I looked at ssl_error_log and this is what it says:
[Sat Sep 03 12:37:36 2011] [warn] RSA server certificate CommonName (CN) `www.domain.com' does NOT match server name!?
What's that suppose to mean?
UPDATE4: If I change
<VirtualHost *:443>
to
<VirtualHost www.domain.com:443>
when I try to access the page the browser pops up the open/save dialog for php source file?!? This is just insane...
It looks as if Godaddy, like many SSL issuers, use an intermediate certificate that must be served by your SSL server in order for the chain of trust to be complete.
In essence, instead of signing your CSR with a certificate which is itself in the public bundle known to most browsers, they sign your CSR with a certificate of their own; this certificate of theirs is in turn itself certified by one of the certificates in the browsers' public bundle to sign anything.
There are good reasons to do this, but the upshot is that when you serve your certificate to people in the SSL handshake phase you have to serve a copy of godaddy's signing certificate at the same time. Then the browser can say to itself "the site certificate is signed by this intermediate godaddy certificate, and the intermediate godaddy certificate is signed as 'OK to sign other things' by eg Equifax/Thawte/Verisign/some other top-level authority whom I trust", and the browser is happy. If the browser doesn't get that intermediate certificate, it can't connect the chain of trust, and it isn't happy.
Godaddy have a chain certificate installation instruction page for apache at this help page.
Edit: it sounds like your SSL config has more than what you wrote. You can't just add config to apache and expect it to work, you have to remove anything that conflicts. Try
find /etc/http/conf -type f -exec grep -i sslcertificatefile {} /dev/null\;
(replacing /etc/http/conf
with your apache config root, if you keep it elsewhere) and see where the plesk certificate is configured in. Commant that section out and try restarting apache.
Maybe you need the SSLCertificateChainFile
option inside your VirtualHost. You should find more information at you SSL Provider Homepage.Have a look at https://certs.godaddy.com/anonymous/repository.seam