GoDaddy Changes SSL Policy Without Warning

September 19, 2009 · 8 comments

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

I just got a notice that my SSL certificates were going to expire and it was time to renew at GoDaddy (http://www.godaddy.com).  Not a problem.  Just go to their website and renew the certificate in a few clicks.  Matter of fact, we just renewed a previous certificate a couple weeks ago and it was easy, painless and very inexpensive.  Heck, that is why we chose GoDaddy as our provider for DNS registration and SSL certificates.  Their prices are great, their site is simple to navigate and they get things done quickly.  Having come from Verisign where a ten-pack of SSL certificates and a administration certificate costs $10,000/year, this was a real no-brainer decision to move.

So, what happened?  As soon as we tried to renew the certificate, we were blocked with a warning that the certificate signing request (CSR) was not between 2048 and 4096 bits in length.  We have never used certificates with anything other than 1024 bits and all of them were working fine, including the one we recently renewed.  We thought it was an error and tried to renew again on their site.  Same thing.  We thought it was some sort of error, so rather than renew, we decided to issue a new CSR from our appliance (more on that later) and submit it.  Again, we were stopped by GoDaddy.  When we contacted technical support, we were told that the CSR had to be at least 2048 bits in length and that we would have to adjust our web server to change the CSR to that value.

Here is where we got really stuck.  Like a lot of shops, we use a number of appliances for security and other functions.  In particular, we have some Cisco products that we require to have SSL certificates because they face the Internet.  These appliances are not generic web servers like Apache or IIS.  They come with custom user interfaces that ask few questions and give few options.  None of them ask or allow the administrator to set the number of bits in the CSR and all of them generate one with their own private key set for 1024 bits.

I contacted Cisco TAC, but I knew the answer to my question before I got it typed into the case notes.  The products do not support 2048-bit CSR and you can submit a feature enhancement with your sales rep if this is something you want to be considered for a future release.  I wrote the case up anyway and escalated it since the appliance was about to go offline without a certificate.  When the TAC engineer finally contacted me, he was polite and professional, but also knew that there was nothing he could do for me.  He pointed me at a Cisco document that stated no support for anything other than 1024 bit CSRs and agreed to talk with the developers to see if they were developing anything for 2048 bits.

I told the TAC engineer that in fact I found a workaround that would make it work.  Rather than using their interface, I could start up the box, take a 2048-bit IIS certificate and install it on the fly and then restart some other services, install the second 2048-bit IIS certificate and then bring up the device completely.  That works until the box needs to be rebooted and then the process has to be repeated.  He was shocked that 1)it could be done and 2)that I found a way around their systems.  I told him that this confirmed compatibility and functionality and now they just had to provide better support.  He agreed, but the rest is out of his hands.  End of phone call.

Now, lets get back to the real culprit in my mind and that is GoDaddy themselves.  First and foremost, they changed their SSL issuing policy without informing their customers in any way.  We did not receive any notices from them about this change which prevented us from taking care of upcoming certificates before it happened.  This is unforgivable in my opinion.  Paying customers for services should know what they are paying for and must be informed well in advance of any proposed changes, modifications or limitations in that service.  So, I called GoDaddy technical support to get answers to these questions.

Once I got hold of someone at GoDaddy, I asked about the CSR.  They told me that the change just happened a few days ago and that they now require 2048 bit CSR’s for security reasons.  I told them that this was impossible since the original certificate and CSR has been stored on their servers for the past year and all I was asking was for them to renew the certificate with the already submitted CSR which they approved last year.  How could that request be considered less safe than submitting a brand new CSR for the same URL?  They had no answer, just a memorized statement.  Then I told them that I was using a custom appliance that did not provide me the mechanism for creating a 2048 bit CSR and that Cisco does not support it.  Then I was told that Apache and IIS can be used to generate 2048-bit requests.  Again, I reiterated that I was not running a web server application, but an appliance that had set standards that had to be met.  After being put on hold, the same answer came back.  Then, I was asked if I talked to Cisco and informed them that 2048-bit was more secure and that they should support it.  Are you kidding, I said.  I don’t tell Cisco what to do and neither does GoDaddy.

I asked the GoDaddy support tech to talk with developers and tell them that the security of my site is my responsibility and that I do not require 2048-bit CSR’s to obtain my certificates.  I asked them why didn’t they inform me in writing of the changes and give me time to react and protect my site during a transition time.  I demanded that they provide customers a mechanism for renewing pre-existing certificates with the CSR’s that have already been submitted and are on file with them.  After being placed on hold, I was told that it was not possible to provide that service to me.  Then, the real shock came when the technician told me to find a different certificate provider to obtain the certificate!  Whoa.  Here is GoDaddy technical support telling me to drop GoDaddy as my certificate provider and go find someone who will do what the customer wants.  In my opinion, that is great advice.  It will take some time to qualify and build a relationship with another provider, but at this point, GoDaddy seems to be missing a real opportunity to provide customer service.

I do not know how GoDaddy goes about developing and delivering their services to customers, but I do know it is absolutely not working.  To change something like this, which is critical to the day-to-day operations of a business without so much as a simple E-mail or letter to customers is one of the dumbest things I have ever seen in a long time.  If they really thought this was a great idea (or even a good idea), they should have shouted it to their customers to let them know how they were working to improve security moving forward.  And for current customers and certificates, only renewals would be allowed to continue to use the 1024-bit CSR since it has already been filed with GoDaddy prior to the change.  This could have been continued for up to 1 year from the date of change which would give customers time to react.  They should also have found the major appliance vendors and got them to agree to support the new 2048-bit initiative in a press release.  But what did they do instead?  Sat around the office one night, came up with a release date and installed it without telling anyone – not even their paying customers.  Then built a policy for the technical support staff to have them tell their customers, “That’s too bad for you.  Do it our way or hit the highway.  Either way, we don’t care.”  Clearly, customer loyalty and respect is something they don’t have for customers and conversely, we no longer have for them.  Too bad.  It was nice while it lasted.

Article by Steve Van Domelen

Steve has written 47 awesome articles.

One Pingback/Trackback

  • Great advice. I dont know how many times I have to tell people the very same things. Glad I’m not the only one.

  • Man that is one of the roughest things I could imagine happening to someone responsible for a site. What a nightmare.

    I got lucky and was able to start fresh with 2048 bit certificates, which I feel better about using anyway, I’m also lucky in that I don’t use much of anything other than devices that run linux. Including some cisco devices and other proprietary systems like wireless routers that I setup to run embedded linux.

    That is the way to go if you really want to avoid headaches, sure it’s easy to just throw money at a problem and purchase proprietary solutions, but these headaches inevitably come up.

    Godaddy has had an awful reputation for almost as long as I can remember, they’ve been around forever and have always had the image of being rather spammer-like with all their ads and tricks.. But honestly it’s tough to beat their SSL in terms of price and features if you are familiar with the shell.

    My only thought to fixing such a problem as you are describing would be to setup tunnelling. Whether that be using VPN’s or encapsulating one connection within another, that would be my only thought..

    Good luck and really liked the articulate description.. I hate it when internet companies treat internet savvy customers like this.

  • Larry Blische

    I’m in the same boat with a cert needed for a Watchguard X5500e Firewall. I asked godaddy how to get a refund and found out I can revoke the cert within 30 days but they take a $15 service fee from the refund amount. Not happy. Anyone have a good replacement for godaddy?

    • ashish

      I would try Thawte or GeoTrust

  • Alicia from Go Daddy

    We care very much about our customers! In fact, we contacted Steve after we saw this article. Larry – we’ll be in touch soon.

    Just a little background. The Certificate Authority Browser Forum has published new requirements for secure certificates. Because we’re members of this organization we’re supporting this change by requiring 2048-bit length for new and renewing certs. You can read more about it here: http://help.godaddy.com/article/5619

    If you have questions we’d really like to talk to you! Please contact our SSL support team 24/7 at 480-505-8852.

  • Pingback: Tweets that mention GoDaddy Changes SSL Policy Without Warning | Just A Word (or two) From Steve -- Topsy.com()

  • Mikeymike

    sounds like your first mistake was moving away from VeriSign. Their roadmap was well documented. Still cant find reasoning why Cisco wont support 2048, especially as its now the standard.

  • Steve

    UPDATE:  Just to be clear, as Alicia indicated, I was contacted by Go Daddy after this article was published and they changed gears and cooperated with us.  They finally understood my situation and made an exception for our account and we can continue to generate 1024-bit CSRs.  They really saved me.  Moving away from Verisign remains a great decision and I want to publicly thank Go Daddy customer service and management for stepping up and keeping my company Internet services/systems operating without interruption.  Even if it took this blog to get their attention.
     
    I would also like to add that Cisco must have received other complaints from customers clearly larger than we are, as they updated their software to create 2048-bit CSRs.  We found out by accident as it was included in another software patch.

Previous post:

Next post: