GoDaddy Certificate Firefox/Thunderbird
Most browsers will now work with the site because they know about GoDaddy/Starfield as root authorities. But Firefox/Thunderbird don't. So we need to get the chain working.
Use the command:
openssl s_client -connect my.server.name:443
to dump out the data. The Certificate Chain is right before the Server Certificate. (When testing SSL POP3, use the port 995 instead of 443 of course.)
Here's where that PEM file (Section 7.a) comes in handy. STunnel doesn't appear to obey the CAfile directive, but you can paste the GoDaddy certificates (from gd_intermediate_bundle.crt) into the same PEM file after your key and certificate, and the entire chain will work.
To accomplish the same thing with Apache serving,...
Place the PEM file created in step 7.a into your Apache/conf/ssl directory
Place the intermediate chain file (gd_intermediate_bundle.crt or gd_full_bundle.crt) into the the Apache/conf/ssl directory.
Reference both files in the Apache/conf/ssl.conf file:
SSLCertificateFile conf/ssl/your.server.name.pem SSLCertificateChainFile conf/ssl/gd_intermediate_bundle.crtRestart the Apache service.
In our case, we tossed the valicert_class2_root.crt root certificate for GoDaddy into the intermediate bundle, as it wasn't there, and renamed it "gd_full_bundle.crt". But that's just our style when struggling with a problem. Never settle for mere overkill!