I have a website that has a valid wildcard certificate from Godaddy. When I view it in my browser I get a valid secure certificate (green padlock) and when I examine the certificate within the browser it says secure and signed by godaddy and everything appears normal.
However, if I use openssl s_client -connect my.site.com:443
I get a self signed certificate:
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
I don’t understand why this is. There seems to be an issue with some of my users that have ssl self-signed errors within their browsers and I think this has something to do with it.
I’m using Ubuntu 11.04 with apache2. Any ideas why this is the case, or how I could further examine the issue?
The general issue with OpenSSL is that it’s not pre-configured with a set of trusted CA certificates (unlike your browser). You need to specify it with
-CApathor-CAfile.Another common problem that your users may be facing is that you may be missing intermediate CA certificates. The certificate chain presented by your server (which you can indeed check using
openssl s_client, possibly with-showcertsif you want the full details) needs to be presented in the right order, from host certificate to root CA (excluding the root CA, although I’ve noticed in practice it doesn’t hurt to have it), so the one certificate’s issuer DN is the next certificate’s subject DN (until the issuer DN is the subject DN of one of your trusted CAs).