We just installed this yesterday. Using Firefox, I'm not getting the self-signed certificate warning, so it's working. However, the lock icon in the address bar has an exclamation point; click it and you get the warning that this site's owner can't be verified. Looking at the cert (as seen by Firefox) has most of the information left blank.
I ran an SSL checker on our main Website and it says that there's a "chain issue:" It contains an "anchor." GoDaddy's checker says that there's an "extraneous certificate" in the chain.
I've pored over my ssl.conf and can't find where another certificate is being loaded.
I use Apache 2.4 on Centos 7. Thanks!
OK, some more info. I've got a self-signed certificate in the chain somewhere. How in the devil do I find this thing and kill it? 🙂
[root@crawfordbroadcasting tls]# openssl s_client -showcerts -connect crawfordbroadcasting.com:443 CONNECTED(00000003) depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify error:num=19:self signed certificate in certificate chain
Here's the pertinent section of /etc/httpd/conf.d/ssl.conf:
[root@crawfordbroadcasting conf.d]# grep -i certificate ssl.conf # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # certificate can be generated using the genkey(1) command. SSLCertificateFile /etc/pki/tls/certs/crawford.crt # If the key is not combined with the certificate, use this SSLCertificateKeyFile /etc/pki/tls/private/crawford.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2-g1.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Obviously, the self-signed certificate that I experimented with is still being pulled in by Apache for some reason. I need to find it and kill it. If anyone has ideas, let me know. 🙂