Symphonious

More a bookmark for myself than anything - the W3C has published a preliminary guide to differences between HTML 5 and HTML 4. Quite useful for anyone planning to update their products for HTML 5.

There’s already a lot of stuff written on the internet about how GoDaddy SSL certificates aren’t recognized by Mac but are by Windows, all of it pointing to “a configuration problem”. I’m not sure how we got such special treatment but none of the instructions I’ve seen work in our particular case.

In case you’re not familiar with it, the problem is that on Mac OS X connecting to the site displays a dialog saying that the certificate could not be validated for an unknown reason. Thanks a heap for that OS X… On Windows it works just fine. The problem turns out to be that the server isn’t configured to provide the full issuing certificate chain all the way back to the root SSL certificate (which is in OS X’s set of trusted roots by default). All around the internet you’ll get instructions saying to make sure that the SSLCertificateChainFile is set to point at gd_bundle.crt (available from GoDaddy’s repository). This doesn’t work with our certificate, not sure why.

The instructions we originally got didn’t mention anything about gd_bundle.crt and instead attached an sf_issuing.crt and told us to use that. This also doesn’t work.

It turns out we have a legacy certificate and that since it was issued GoDaddy have changed their certification chain. So instead of using gd_bundle.crt we should use ca_bundle.crt and otherwise follow the GoDaddy instructions. Then it seems to work with everything and the world is good.

You can then verify it’s all working using OpenSSL:

openssl verify -CAfile ca_bundle.crt -purpose sslserver <your crt file to test>

It should return:

<your crt file to test>: OK

If instead it returns something like:

error 20 at 0 depth lookup:unable to get local issuer certificate

You’re still missing one of the certificates in the issuing chain and are probably using the wrong crt from GoDaddy as the CAfile.

Update

I’ve changed the above to reflect that we’ve now got it all working. It turns out the president of GoDaddy found this post and past it on to Ryan Koski, a systems engineer working with GoDaddy’s SSL certification systems who very kindly got in touch with me and offered to help. I discovered the difference between new certificates and ours while writing up the configurations I’d tried for Ryan. I’d never noticed before because I hadn’t discovered the ValiCert root certificate at the bottom of our certificate chain when I was over at the GoDaddy repository. At that point, we didn’t have the valid chain to the root certificate so obviously browsers didn’t show it.

I must admit I’m also rather impressed by GoDaddy’s dedication, I may not like their advertising or web site much but I do have to admit they have the cheapest SSL certificates I can find anywhere and their customer support is first class.

If you’re having problems with a GoDaddy cert, log a support case because you’ve almost certainly screwed up and they should be able to help you. Yes, this is a hard learnt lesson.

Something I’m sure I’ll want to find again in the future: the OmniGroup provide statistics from their update app showing what OS, CPU, Graphics and various other hardware stats their user base has. Very useful for getting a rough guide of adoption rates.

I've noticed something I've been doing with some consistency lately - when I come across a product that I have some interest in, but can't or don't want to start using straight away, I try to add the product page to my RSS feeds. With the proliferation of RSS support in browsers these days it seems to me that every product page should include a link tag pointing to the product updates feed. Ephox doesn't currently do this, but its something that we should fix pretty quickly to help people find the Releases Blog and stay up to date with all the latest features and fixes.

If you're doing some graphic work in Java that you want to look pretty (as opposed to most UI stuff where this doesn't make any real difference), you probably want to make sure antialiasing is on for the graphics object. By default Java usually honors the OS settings for antialiasing, particularly for text, but you can get much smoother antialiasing by setting the appropriate rendering hint.

For example, originally the new progress bar I added last week didn't have antialiasing on, but in the tweaks I've done this morning (now live on our internal systems) antialiasing is on and it looks much better. It's also changed to be more dots than lines since the last post too. However, setting the antialias rendering hint for all the components in the editor simply slows everything down (rather dramatically) and doesn't actually improve the appearance anyway. Definitely a setting to be aware of but be cautious in its use.

For the benefit of my memory and those who haven't played with rendering hints much, here's how to enable antialiasing on a Graphics2D object:

g.setRenderingHint(RenderingHints.KEY_ANTIALIASING, RenderingHints.VALUE_ANTIALIAS_ON);