Closed
Bug 649664
Opened 14 years ago
Closed 14 years ago
Thunderbird doesn't recognize newer GoDaddy root certificate
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
VERIFIED
INVALID
People
(Reporter: stephenclouse, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
Today we replaced our expired IMAP server certificate and Thunderbird began throwing errors that the cert couldn't be verified. The new certificate is signed by "Go Daddy Secure Certification Authority" (which my TB is missing), whereas the old cert was signed by "Go Daddy Class 2 CA" (which TB does have).
I've never touched the certificates in TB so I must assume that TB never had this root certificate to begin with.
Firefox 4 does have this root certificate. I exported it and pulled it into TB and everything was fine, but it probably needs to become part of the base installation.
Reproducible: Always
Comment 1•14 years ago
|
||
I'm confused you say "FF 4 has it".
Bug 632461 adds a new root "Go Daddy Root Certificate Authority - G2" to NSS 3.12.10, which is NOT yet in FF 4.
I cannot find "Go Daddy Secure Certification Authority" in our list of roots.
I suspect that one is an intermediate cert, that is supposed to be sent by the SSL server during the handshake. Because FF caches seen good intermediates, your FF might already have it because it was used when you visited other sites earlier.
I suspect you made a common mistake when configuring your server.
You probably installed the server cert, only, but you failed to install the intermediate.
(I wish the CAs would give their customers better instructions, avoiding the need for me to repeatedly diagnose these scenarios and explain things.)
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Comment 2•14 years ago
|
||
If you have reason to believe my comment is wrong, please attach that root to this bug.
Comment 3•14 years ago
|
||
(In reply to comment #2)
> If you have reason to believe my comment is wrong, please attach that root to
> this bug.
(you should have done so right away, which would have avoided me having to guess)
(In reply to comment #1)
> I suspect that one is an intermediate cert, that is supposed to be sent by the
> SSL server during the handshake.
Perfect guess, yes. It's this one here: http://certificates.godaddy.com/repository/gd_intermediate.crt
Which is issued by the "Go Daddy Class 2 CA":
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 769 (0x301)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Grou
p, Inc.",C=US"
Validity:
Not Before: Thu Nov 16 01:54:37 2006
Not After : Mon Nov 16 01:54:37 2026
Subject: "serialNumber=07969287,CN=Go Daddy Secure Certification Authorit
y,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc."
,L=Scottsdale,ST=Arizona,C=US"
...
> (I wish the CAs would give their customers better instructions, avoiding the
> need for me to repeatedly diagnose these scenarios and explain things.)
+1
Updated•14 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•