Troubleshooting Untrusted Starfield Wildcard SSL Certificate in Older Browsers: Apache Configuration Fix


4 views

When implementing a Starfield wildcard SSL certificate on an Apache server (CentOS 6.3/LAMP), you might encounter certificate trust errors specifically in:

  • Safari on legacy systems
  • Chrome versions running on OS X 10.5.8
  • Other browsers with outdated root certificate stores

First verify your basic SSL configuration in ssl.conf:

SSLCertificateFile /path/to/cert/mysite.com.cert
SSLCertificateKeyFile /path/to/cert/mysite.key
SSLCertificateChainFile /path/to/cert/sf_bundle.crt

The most common solution (which resolved my case) involves ensuring the chain file is properly referenced in both locations:

  1. The main ssl.conf file
  2. Each VirtualHost block in httpd.conf that uses SSL

Example VirtualHost configuration:

<VirtualHost *:443>
    ServerName example.com
    ServerAlias *.example.com
    
    SSLEngine on
    SSLCertificateFile /etc/httpd/ssl/example.com.crt
    SSLCertificateKeyFile /etc/httpd/ssl/example.com.key
    SSLCertificateChainFile /etc/httpd/ssl/sf_bundle.crt
    
    # Other directives...
</VirtualHost>

Use OpenSSL to verify your chain is properly formed:

openssl verify -CAfile sf_bundle.crt mysite.com.cert

For thorough testing, try these diagnostic tools:

  • SSL Labs' SSL Test: https://www.ssllabs.com/ssltest/
  • SSL Shopper Checker: https://www.sslshopper.com/ssl-checker.html

If issues persist, try these Starfield intermediate certificates:

  1. Primary bundle: 
    wget https://certs.godaddy.com/repository/sf_bundle.crt
  2. Alternative intermediate: 
    wget https://certs.godaddy.com/repository/sf_intermediate.crt

For maximum compatibility with older systems:

  • Ensure you're using the SHA-2 certificate chain
  • Consider including both intermediate certificates in your chain file
  • Verify your Apache version supports SNI if using name-based virtual hosts

When deploying a Starfield wildcard SSL certificate on a CentOS 6.3 LAMP stack (Godaddy VPS), some browsers like Safari and legacy Chrome versions on OS X 10.5.8 may show certificate trust errors, even for the root domain. SSL Shopper's diagnostic tool confirms the issue stems from missing intermediate chain trust.

The standard Apache SSL configuration typically includes:


SSLCertificateFile /path/to/cert/mysite.com.cert
SSLCertificateKeyFile /path/to/cert/mysite.key
SSLCertificateChainFile /path/to/cert/sf_bundle.crt

However, this alone doesn't guarantee full browser compatibility.

Many administrators make these mistakes:

  • Using outdated intermediate bundles from Godaddy's repository
  • Not applying chain file settings to all relevant VirtualHost blocks
  • Mixing Starfield and Godaddy intermediate certificates

Verify your certificate chain with:


openssl s_client -connect yourdomain.com:443 -showcerts

1. Download the latest Starfield intermediate bundle directly from:


wget https://certs.starfieldtech.com/repository/sf_bundle.crt

2. Update ALL Apache configuration files (both ssl.conf AND httpd.conf):


<VirtualHost *:443>
    ...
    SSLCertificateChainFile /etc/ssl/certs/sf_bundle.crt
    # Alternative for Apache 2.4.8+:
    # SSLCertificateFile /etc/ssl/certs/domain.crt
    # SSLCertificateKeyFile /etc/ssl/private/domain.key
    # SSLCertificateChainFile /etc/ssl/certs/sf_intermediate.crt
</VirtualHost>

After configuration changes:


apachectl configtest
service httpd graceful

Use these tools for verification:

  • SSL Labs' SSL Test: https://www.ssllabs.com/ssltest/
  • BrowserStack for cross-browser testing
  • Legacy browser emulators for OS X 10.5 environments

For environments where Starfield's bundle still causes issues:


# Concatenate certificates manually
cat domain.crt sf_intermediate.crt > combined.crt
# Then use:
SSLCertificateFile /path/to/combined.crt
# Instead of separate ChainFile directive