Joe Levi:
a cross-discipline, multi-dimensional problem solver who thinks outside the box – but within reality™

Secure Connection Failed error message with GoDaddy Certificate in Firefox 3.01

image

We switched our preferred SSL Certificate provider from Thawte to GoDaddy recently and all has been well for several months.

This morning it was brought to my attention that Windows XP SP2 users running a fresh install of Firefox 3.01 are being met with a “Secure Connection Failed” error message (Error code: sec_error_unknown_issuer) which states that www.buylifetime.com uses an invalid security certificate. That’s not true, and MSIE6 and MSIE7 agree; what’s more, FF3.01 on my Vista machine doesn’t throw the error either.

Upon further investigation my Vista version of FF3.01 has TWO Certificate Authority entries under “The Go Daddy Group, Inc.” – the Windows XP SP2 version of FF3.01 only has “Go Daddy Class 2 CA Builtin Object Token.” When I remove the “Go Daddy CA” from my Vista FF I get the same problematic behavior on Vista.

I’ve opened a ticket with GoDaddy, but that could take “up to 24 hours” so I’m asking all you geeks out there: any thoughts?

Solution:

From https://certs.godaddy.com/IIS6_alt.go :

Once your SSL certificate has been signed and issued,Go Daddy® will send you an e-mail message that allows you to download the signed certificate and our intermediate certificate bundle (gd_iis_intermediates.p7b), both of which must be installed on your Web site. So far, so good, right?

What fixed it for me? I reinstalled the intermediate certificate (both GoDaddy’s and SF’s) AND disabled all uses of the Go Daddy Class 2 Certification Authority certificate, ran an ISSRESET, and closed/re-opened FF3.01. Problem solved.

I wouldn’t be much help if I left out how to do all that, would I? Here’s how to install the SSL Certificate and the Intermediate Certificate Bundle (gd_iis_intermediates.p7b)

Download and save the certificate bundle to your desktop (or somewhere convenient), then follow these instructions to install it:

  1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
  2. In the Management Console, select File; then "Add/Remove Snap In."
  3. In the Add/Remove Snap-In dialog, select Add.
  4. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
  5. Choose Computer Account; then click Next and Finish.
    Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
  6. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
  7. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
  8. Follow the wizard prompts to complete the installation procedure.
    Click Browse to locate the certificate file (gd_iis_intermediates.p7b).
  9. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
  10. Click Finish.

Next install your SSL Certificate like so:

  1. Select the Internet Information Service console within the Administrative Tools menu.
  2. Select the Web site (host) for which the certificate was made.
  3. Right mouse-click and select Properties.
  4. Select the Directory Security tab.
  5. Select the Server Certificate option.
  6. The Welcome to the Web Server Certificate Wizard windows opens. Click OK.
  7. Select Process the pending request and install the certificate. Click Next.
  8. Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).
  9. When the correct certificate file is selected, click Next.
  10. Verify the Certificate Summary to make sure all information is accurate. Click Next.
  11. Select Finish.

If the Go Daddy root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder. Please follow the instructions below to do this:

  1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
  2. In the Management Console, select File; then "Add/Remove Snap In."
  3. In the Add/Remove Snap-In dialog, select Add.
  4. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
  5. Choose Computer Account; then click Next and Finish. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
  6. If necessary, click the + icon to expand the Certificates folder so that the Trusted Root Certification Authorities folder is visible.
  7. Expand the Trusted Root Certification Authorities folder.
  8. Double-click the Certificates folder to show a list of all certificates.
  9. Find the Go Daddy Class 2 Certification Authority certificate.
  10. Right-click on the certificate and select Properties.
  11. Select the radio button next to Disable all purposes for this certificate.
  12. Click OK.
  13. Cycle through an IISRESET.
  14. Close and re-open the client web browser.

NOTE: Do not disable the Go Daddy Secure Certification Authority certificate located in the Intermediate Certification Authorities folder. Doing so will break the server, causing it to stop sending the correct certificate chain to the browser.

You can thank me later™.

Share

You may also like...

8 Responses

  1. Scott says:

    I am seeing the same thing only in FF3 on Vista. No other browsers have this problem.

  2. Joe says:

    @Scott,

    Hey! What timing! I’m sorry that you’re running into the problem, but it’s nice to know I’m not alone.

    The good news is I figured out the problem and updated the blog post with detailed instructions on how to correct it.

    In a nutshell, the issue was resolved by reinstalling the Intermediate CA’s (using the MMC not the right-click context menu on the .p7b file) AND disabling all purposes of the Go Daddy Class 2 Certification Authority certificate. The blog has instructions.

    Ironically, FF2 and MSIE6 – 8b1 did NOT have the problem, so I assume it’s got something to do with FF3’s tighter security policies.

    Let me know if it works for you.

    http://www.JoeLevi.com

  3. hapbt says:

    thank you!!!

  4. Christine says:

    I am having these problems with Firefox and my banking sites. Any idea how to fix them?

  5. Richie says:

    Come on. You can do better than copying the information from the GoDaddy website. Word for word….

  6. joelevi says:

    Ironically, it took a substantial amount of digging to find that information and piece it together back when it was written (almost a year ago).

    The information was spread across several GoDaddy articles, several forums, and a bunch of trial and error, and troubleshooting on my end.

    I think it's awesome that in one year you feel that GoDaddy has put all this together in one discoverable place! Way to go GoDaddy!

    Thanks for the comment!

    http://www.JoeLevi.com

  7. chuks says:

    please help me , i am having this problem whenever i want log on in firefox ,it will just write that there is an error in login on in firefox, it will write error code,ssl error and disable error,it not let me to log on in my firefox,so please i need a help and solution

  8. Icetoad says:

    wow thanks! Worked the first time, a testimate to your instructions!

Leave a Reply to ChristineCancel reply