After some agonizing discussions, dkg and I decided to purchase a SSL certificate from Godaddy for members.mayfirst.org and id.mayfirst.org. It was agonizing - when our Dotster/Thawte purchased SSL certificate for members.mayfirst.org expired a month ago, I tried to purchase another one from Dotster/Thawte, but dotster's tech just is not up to snuff. In the last year, half the time I purchase from them it works, and the other half the time I just never get the certificate. Contacting support doesn't help (they say it's Thawte's problem, the clearly more competent Thawte people say it's Dotster's fault). In these interactions I've tended to believe Thawte.

All of this is even more frustrating given what a scam SSL certificates are (see dkg's piece on that topic for an in-depth discussion.

We scoured the Internet for affordable SSL certificate issuers and discovered the godaddy is really the cheapest. Of course, we hate godaddy. However, we decided we needed a cert that will not cause our members to get in the habit of seeing ssl error messages and ignoring them.

Imagine my frustration when, after installing godaddy's cert, my Firefox browser still gave the error!

Fortunately - with some help on the Internet, I discovered that the answer to the problem is:

When you get the email from Godaddy about your cert being ready for download, click on the link and you get a zipped package with both your certificate and a "godaddy intermediate bundle." I didn't click on the link, I simply logged into the web interface and downloaded my new certificate. The intermediate bundle is a file containing three certificates - essentially a chain of certificates that connects the godaddy certificate authority to whatever certificate authorities your browser trusts.

If for some reason you don't have this bundle, it's attached to this post below.

Copy the file to our server and then, in your Apache file, add this line:

SSLCertificateChainFile /etc/apache2/ssl/gd_intermediate_bundle.crt

Then restart Apache.

Useful resources:

https://certificates.godaddy.com/InstallationInstructions.go http://www.dslreports.com/forum/r18609704-New-SSL-Cert-Problem-Report~start=20