How to fix from the server side: ERROR: The certificate of ‘www.example.org’ is not trusted

I am managing a website which uses a SSL/TLS Certificate from a well known issuer (GoDaddy in this case, although this same error appears with certificates from other issuers). The website is hosted on an Apache webserver.

Some webbrowsers complain about the SSL/TLS certificate with an error like:

The site's security certificate is not trusted!

You attempted to reach www.example.org, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system.

Other webbrowsers do not complain. This suggests to me that the Certificate itself is installed correctly on the webserver, but a piece of the certificate chain is missing from either the webbrowser or the server.

Here is another example from wget:

$ wget https://www.example.org/
--2013-01-23 12:34:47--  https://www.example.org/
Resolving www.example.org (www.example.org)... 192.168.100.100, 2001:400:xxx::10
Connecting to www.example.org (www.example.org)|192.168.100.100|:443... connected.
ERROR: The certificate of ‘www.example.org’ is not trusted.
ERROR: The certificate of ‘www.example.org’ hasn't got a known issuer.

Is it possible to correct this from the web server configuration?

The certificate from GoDaddy is legitimate, and is installed on the webserver. I do not want to bypass this error (e.g. I do not want to use wget --no-check-certificate). I want to prevent this error by adding the correct configuration on the server side.


Solution 1:

If you look at the full certificate chain from one of the affected browsers, which certificate isn't trusted?

If it's the intermediate certificate that isn't trusted, make sure that the intermediate certificate is installed on the web server.

If it's the root certificate that isn't trusted, then this can't be fixed from the server side; the clients will need to update their root certificate store.

Solution 2:

Check that you have all the required intermediate certificates installed on the server. Not all browsers treat these errors equally. Firefox is usually the most strict in its requirements.