Closed Bug 649664 Opened 14 years ago Closed 14 years ago

Thunderbird doesn't recognize newer GoDaddy root certificate

Categories

(Thunderbird :: Security, defect)

x86
Windows XP
defect
Not set
minor

Tracking

(Not tracked)

VERIFIED INVALID

People

(Reporter: stephenclouse, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 Today we replaced our expired IMAP server certificate and Thunderbird began throwing errors that the cert couldn't be verified. The new certificate is signed by "Go Daddy Secure Certification Authority" (which my TB is missing), whereas the old cert was signed by "Go Daddy Class 2 CA" (which TB does have). I've never touched the certificates in TB so I must assume that TB never had this root certificate to begin with. Firefox 4 does have this root certificate. I exported it and pulled it into TB and everything was fine, but it probably needs to become part of the base installation. Reproducible: Always
I'm confused you say "FF 4 has it". Bug 632461 adds a new root "Go Daddy Root Certificate Authority - G2" to NSS 3.12.10, which is NOT yet in FF 4. I cannot find "Go Daddy Secure Certification Authority" in our list of roots. I suspect that one is an intermediate cert, that is supposed to be sent by the SSL server during the handshake. Because FF caches seen good intermediates, your FF might already have it because it was used when you visited other sites earlier. I suspect you made a common mistake when configuring your server. You probably installed the server cert, only, but you failed to install the intermediate. (I wish the CAs would give their customers better instructions, avoiding the need for me to repeatedly diagnose these scenarios and explain things.)
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
If you have reason to believe my comment is wrong, please attach that root to this bug.
(In reply to comment #2) > If you have reason to believe my comment is wrong, please attach that root to > this bug. (you should have done so right away, which would have avoided me having to guess)
(In reply to comment #1) > I suspect that one is an intermediate cert, that is supposed to be sent by the > SSL server during the handshake. Perfect guess, yes. It's this one here: http://certificates.godaddy.com/repository/gd_intermediate.crt Which is issued by the "Go Daddy Class 2 CA": Certificate: Data: Version: 3 (0x2) Serial Number: 769 (0x301) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Grou p, Inc.",C=US" Validity: Not Before: Thu Nov 16 01:54:37 2006 Not After : Mon Nov 16 01:54:37 2026 Subject: "serialNumber=07969287,CN=Go Daddy Secure Certification Authorit y,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc." ,L=Scottsdale,ST=Arizona,C=US" ... > (I wish the CAs would give their customers better instructions, avoiding the > need for me to repeatedly diagnose these scenarios and explain things.) +1
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.