On Tue, Jul 26, 2011 at 3:11 PM, Geoff Hoffman
<ghoffman_at_cardinalpath.com> wrote:
> Long shot here... this is probably off base, as I am not that experienced
> with lower-level SSL problems, but are you by chance using an issuer that
> provides an intermediary certificate?
> For example, to install an SSL cert from GoDaddy, you have to also include
> the gd_bundle.crt. The Wikipedia article below makes me wonder if there is
> just some network hiccups sometimes, trying to validate your certificate
> chain authority.
>>
>> From http://en.wikipedia.org/wiki/Intermediate_certificate_authorities
>> If the certificate was not issued by a trusted CA, the connecting device
>> (e.g., a web browser) will then check to see if the issuing CA of the
>> certificate was issued by a trusted CA, and so on until either a trusted CA
>> is found (at which point a trusted, secure connection will be established)
>> or no trusted CA can be found (at which point the device will usually
>> display an error).
>
>
Yes, and indeed this is a GoDaddy cert, with the bundle installed to
keep the chain intact, so thus it does work that 95% of the time. I
was thinking that the chain is all presented from the server to client
in one fell swoop, with no need to go fetch anything else "out there"
(not that you're suggesting that is what it needs to do--go outside to
fetch something). But indeed, I suppose it could complicate the
handshake in such a way as to cause this intermittent failure--would
really like to be able to "watch" that happen via some kind of verbose
log.
Dan
Received on 2011-07-26 22:20:49 CEST