Installation of SSL certificate from GoDaddy.com on Oracle Application Server 10.1.3.

Extraido de http://www.dcinformatics.com/home/blog.jsp#090911

 

Installation of SSL certificate from GoDaddy.com on Oracle Application Server 10.1.3.

Comparing to VeriSign, Comodo, Thawte and other $400+/year SSL certificates, the $12.99 product from GoDaddy.com looks like a very attractive alternative. But the downside is that installation of certificate is not simple at all. These notes might help others to save some time while going through SSL installation and configuration.
My objective was to secure Oracle HTTP server 10.1.3.1.1 with SSL certificate using Oracle Wallet 10.1.0.5.0. My OS is Windows 2003 Server. First I've checked existing default certificate, which comes with the Application Server installation, by connecting to the default Welcome page as http://www.myserver.com/ and simply changing address to https://www.myserver.com/. As expected, the browser complained that I am using certificate provided for testing purpose and should get the real one. The ssl_engine_log file at {ORA_HOME}\Apache\Apache\logs recorded an error:

SSL call to NZ function nzos_Handshake failed with error 28860 
    (server www.myserver.com:443, client xxx.x.xxx.xx)

This is normal response showing that Apache is configured right: it received a request on the port 443, which goes through the ssl engine.
Creating new wallet, new certificate request and signing it at GoDaddy.com was not a problem. I received a zip archive with 2 files in it: www.myserver.com.crt which contained my user certificate, and gd_bundle.crti> with 3 CA certificates. The later is meant to be used for creating certificate chain, making godaddy authority recognized by the server. Import of these two certificates into the wallet produced an error

    User certificate installation failed.
    Possible errors:
    -Input was not a valid certificate
    -No matching certificate request was found
    -CA certificate needed for certificate chain not found
    Please install it first
    

After struggling against this error for some time I realized that gd_bundle.crt is useless and downloaded chain-building certificates one-by-one from the location: https://certs.godaddy.com/anonymous/repository.seam. The next files are required:

    sfsroot.crt
    valicert_class2_root.crt
    gd_cross_intermediate.crt
    gd_class2_root.crt
    gd_intermediate.crt
    

I am not sure how critical the order is, but in my case they were ordered as listed above. After that I successfully imported my user certificate

www.mycompany.com.crt

and saved the wallet in {ORA_HOME}/Apache/Apache/conf/ssl.wlt/default
To my surprise, when I restarted the server and tried to connect using https, my FireFox browser gave me an error

    no common encryption algorithm(s)
    

and IE complained about connectivity like

    Internet connectivity has been lost.
    

The ssl_engine_log had an error:

    SSL call to NZ function nzos_Handshake failed with error 29040 
    (server www.mycompany.com:443, client xxx.xx.xxx.xx)
    

The same error always appear when "not ready" certificate was used (certificate which is not successfully signed by CA authority). It took me a while to realize that my certificate is OK, but in addition to start/stop of the AS, I have to close/open Wallet in order to make it working. I am not sure why (maybe because I am using Remote Desktop to connect to the server?), but my updated certificate was not delivered to the browser until I closed Wallet, opened it again and opened-saved the certificate. After that everything was working fine.
I have seen on internet lots of complains about GoDaddy tech support. In my case they were not very instrumental either, but give them a break. What could you expect for $12.99!?