Is anyone else experiencing issues with chrome and edge on mobile devices not trusting Go Daddy Secure Certificate Authority - G2 signed certificates?
We have a wildcard one that if causing problems for mobiles.
Hello,
I am troubleshooting an issue where Androids cannot connect to an NPS server with PEAP for RADIUS auth. All other platforms have no issue.
There are spotty errors about the certificate chain being invalid on the devices when trying to connect.
I look on my Androids certificate store and see a "Go Daddy Root Certificate Authority - G2" cert expiring in 2037.
I look on the NPS server and see the following certificate path:
GoDaddy Class 2 Certification Authority - Expires 2034
GoDaddy Root Certification Authority - G2 - Expires 2031
GoDaddy Secure Certificate Authority - Expires 2031
nps.publicname.com - expires next year
I figured oh, ok. This must be the issue. I will try to bundle the 2037 root cert into the chain and see if then the Android will trust it. I export the cert onto my laptop and am surprised to see the following in its certificate path:
GoDaddy Root Certification Authority - G2 - expires 2037 (the one I think we need)
GoDaddy Secure Certificate Authority - Expires 2031
nps.publicname.com - expires next year
Why would the certificate paths appear different for the same cert, with the same thumbprint, on two different Windows machines? I seem to have a fundamental misunderstanding I am just unable to find the answer to. Is it logical that this is the issue preventing the Androids from connecting?
I truly appreciate anyones time in helping me understand..
UPDATE:
Per tech support, this is a result of FBX-8221. The 12.0 release web server changed and does not provide the intermediate certificate during a TLS negotiation. It is supposed to be fixed in the 12.0.1 release.
Gregg
Hello!
I have installed a GoDaddy SSL cert into my firewall (T50 running 12.0) and it works fine for the authentication page on port 4100 as well as for the SSLVPN. I just re-keyed it using a CSR from the T50.
However, when I test it using multiple external sites such as https://sslanalyzer.comodoca.com , it shows a problem with the trust chain. That site says “Trusted by Microsoft? No (unable to get local issuer certificate) UNTRUSTED” and “Trusted by Mozilla? No (unable to get local issuer certificate) UNTRUSTED.” Others have similar wording and they look like the problem is the “Go Daddy Secure Certificate Authority - G2” cert.
Does anyone else have a Firebox with a GoDaddy SSL cert that they can test? I think it is a red herring and would like to see what results others get.
There were four certs in the GoDaddy download, and reviewing each one showed this order:
Go Daddy Class 2 Certification Authority
Go Daddy Root Certificate Authority - G2
Go Daddy Secure Certificate Authority - G2
mail.greggspublicdomain.net
There were three certs in the bundle, plus my actual cert, and I installed them from bottom of the bundle cert file to top (opened using Notepad++), then installed my cert:
“Go Daddy Class 2 Certification Authority” as IPSEC/Webserver/Other
“Go Daddy Root Certificate Authority - G2” as IPSEC/Webserver/Other
“Go Daddy Secure Certificate Authority - G2” as IPSEC/Webserver/Other
“mail.greggspublicdomain.net” as IPSEC/Webserver/Other
When connecting with Chrome to mail.greggspublicdomain.net either internally or externally, Chrome shows the complete path trusted.
Thank you for your time!
Gregg