Last modified: 2014-02-04 03:53:32 UTC
OTRS <ticket.wikimedia.org> is not serving the full certificate chain. (via ssl/tls) I'm fairly certain this is non compliant with relevant standards but don't have a source offhand. I'm seeing this causing cert warnings in safari. (using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us) AppleWebKit/531.21.11 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10) For reference here's a comparison of the misconfigured site with a properly configured site. (both seem to be signed by the same upstream intermediary CA) $ for i in ticket.wikimedia.org squarefree.com; do openssl s_client -connect $i:443 < /dev/null 2>/dev/null | perl -pe 'exit 0 if (/^Server certificate$/);' | sed -e 1d; done --- Certificate chain 0 s:/O=ticket.wikimedia.org/OU=Domain Control Validated/CN=ticket.wikimedia.org i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 --- --- Certificate chain 0 s:/O=www.squarefree.com/OU=Domain Control Validated/CN=www.squarefree.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority ---
I can also reproduce this in Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 A few relevant bugs: https://bugzilla.mozilla.org/buglist.cgi?quicksearch=402846+399324+245609
Created attachment 7408 [details] godaddy ssl intermediate cert 20091029 http://help.godaddy.com/topic/742/article/5238 I suggest adding a new directive SSLCertificateChainFile to httpd.conf after the corresponding SSLCertificateFile/SSLCertificateKeyFile. It should point to the contents of this attachment.
tstarling fixed, thanks $ for i in ticket.wikimedia.org squarefree.com; do openssl s_client -connect $i:443 < /dev/null 2>/dev/null | perl -pe 'exit 0 if (/^Server certificate$/);' | sed -e 1d; done --- Certificate chain 0 s:/O=ticket.wikimedia.org/OU=Domain Control Validated/CN=ticket.wikimedia.org i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority --- --- Certificate chain 0 s:/O=www.squarefree.com/OU=Domain Control Validated/CN=www.squarefree.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority ---
Closing old verified bugs.