Our clergy e-mail server at work is running a Thawte SSL123 certificate for securing all webmail, POP/SSL and SMTP/SSL traffic. They have been an excellent certificate authority and we have used them for several years now. Unfortunately, the certificate in question expired over the weekend. I was supposed to renew it late Saturday night or Sunday morning, the time when we have the least traffic on our server (go figure, it’s a bunch of preachers). The problem was that I got home, sat on the couch, played with the kids and this slipped my mind.
There’s nothing better than a dose of high octane stress to kick off a week just right. I came in this morning to find out that no one could connect to the server anymore. Our office was flooded with calls wondering what was wrong with the e-mail server. In the past people could have clicked past the expiration error and kept on trucking. I quickly renewed the certificate, downloaded and installed it. Then the real problem started. All of our clients could now access the server but they were getting trust errors. Turns out the new Thawte certificates need to have an intermediate CA certificate installed.
Thawte uses Intermediate CAs to enhance the security of SSL and Code Signing certificates. Installing the correct Intermediate CAs or CA bundle for the certificate being used is absolutely essential to ensure that users don’t see certificate errors when visiting a website or running software secured with a Thawte certificate.
I didn’t know about this since it had changed in the last year. After running it by their technical support (they give great chat by the way) I was pointed to an article discussing the issue. Turns out this new requirement was implemented on June 27th, 2010. I downloaded the required certificate and added the following line to ssl.conf:
SSLCACertificateFile /usr/local/ssl/crt/cabundle.crt
One quick Apache restart and all is well. Now it’s noon on Monday. Time to get the week started!
