When deploying GoDaddy SSL certificates with Apache, many developers encounter Safari's frustrating "unknown authority" warning despite proper configuration in other browsers. This stems from Apple's stricter certificate chain validation requirements compared to other browsers.

Safari requires the complete certificate chain to be presented in a specific order. The common issue occurs when:

1. The intermediate certificates aren't properly bundled
2. The chain file contains certificates in wrong order
3. Missing the root CA certificate in the chain

Here's the corrected Apache configuration that works across all browsers including Safari:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/godaddy.crt
SSLCertificateKeyFile /etc/apache2/ssl/godaddy.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt

You need to combine all intermediate certificates in proper order. For GoDaddy certificates, the correct sequence is:

cat gdig2.crt gdroot-g2.crt > gd_bundle.crt

Where:

• gdig2.crt is the intermediate certificate
• gdroot-g2.crt is the root certificate

Use OpenSSL to verify your configuration:

openssl verify -CAfile gd_bundle.crt your_domain.crt

You should see "OK" if the chain is properly constructed.

Newer Apache versions (2.4.8+) support concatenating certificates in SSLCertificateFile:

SSLCertificateFile /etc/apache2/ssl/combined.crt

Where combined.crt contains:

1. Your domain certificate
2. Intermediate certificates
3. Root certificate

After implementing these changes, test using:

• SSL Labs test (https://www.ssllabs.com/ssltest/)
• Safari developer tools
• Chrome security tab

---

When deploying GoDaddy SSL certificates across multiple browsers, Safari tends to be the odd one out. While Chrome, Firefox and Edge validate the certificate chain correctly, Safari throws the notorious "unknown authority" error. This stems from Safari's stricter root certificate validation compared to other browsers.

The root cause lies in how Safari handles intermediate certificates. GoDaddy's standard bundle file (gd_bundle2.crt) might not include the complete chain required by Safari's trust store. Here's what typically happens:

# Common incorrect chain structure
1. Your Domain Certificate
2. GoDaddy Intermediate (missing root in some cases)
3. (Root certificate not properly referenced)

Here's the definitive configuration that works across all browsers including Safari:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/godaddy.crt
SSLCertificateKeyFile /etc/apache2/ssl/godaddy.key
# Use the alternative chain file:
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle-g2.crt

Key differences from standard setup:

• Using gd_bundle-g2.crt instead of gd_bundle2.crt
• Ensuring the file contains the complete chain up to the trusted root

After implementing the fix, verify using OpenSSL:

openssl s_client -connect yourdomain.com:443 -showcerts -CApath /etc/ssl/certs/

Look for these indicators of success:

Verify return code: 0 (ok)
Certificate chain
 0 s:/CN=yourdomain.com
   i:/C=US/O=GoDaddy.com, Inc./OU=...
 1 s:/C=US/O=GoDaddy.com, Inc./OU=...
   i:/C=US/O=The Go Daddy Group, Inc...
 2 s:/C=US/O=The Go Daddy Group, Inc...
   i:/O=Digital Signature Trust Co...

For Apache 2.4.8+, use the more modern directive:

SSLCertificateFile /etc/apache2/ssl/yourdomain.crt
SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.key
# Concatenated file containing domain cert + full chain:
SSLCertificateFile /etc/apache2/ssl/fullchain.crt

Create fullchain.crt by concatenating:

cat yourdomain.crt gd_bundle-g2.crt > fullchain.crt

When building your chain file, the order is crucial. The correct sequence is:

1. Your domain certificate
2. Intermediate certificate(s)
3. Root certificate (though usually not required)

For GoDaddy specifically, download the correct bundle from their SSL certificate management console, as they frequently update their intermediate certificates.