function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
IGCTOIGCTO 

SSL Certification Path Error

We have a GeoTrust certificate that is on the list of Salesforce approved certs. GeoTrust Global CA and the intermediate certificate GeoTrust DV SSL CA.

 

This certificate is used for a secure Apex callout to our web service  It has been working since February.  But on September 27, we were getting errors that indicated that Salesforce no longer recognized our certificate.  Also a customer using IE8 reported that several users were getting untrusted message.

 

We only have one intermediate certificate and both are installed correctly on IIS.  We did not have any issues with Salesforce or any browsers from February until September 27.  We are using Wndows Azure and I believe that Microsoft upgraded IIS7 to IIS8 recently, but don't know if that is relevant..

 

On September 27 I ran SSL Checker on SSL Shopper and found that our certificate path is not trusted by all browsers.   I was told by GeoTrust that IE8 has trouble sometimes when this warning appears.  He confirmed that we just needed to make sure the intermediate and root cert are stored correctly on IIS which they are. 

 

When I added our URL to the hostHeader setting on IIS, there was no longer any warning on SSL Checker and Salesforce correctly recognized our chain of trust.

 

But I don't want to use a hostHeader setting and wondering if Salesforce needs to update its code to avoid the same issue IE8 has in resolving the correct certificate path.    (Using a hostHeader setting creates issues when publishing our application to staging because the hostHeader is not correct.)

 

 

Vinita_SFDCVinita_SFDC

Hello,

 

Please refer following help document and let me know if this resolves your issue:

 

https://help.salesforce.com/apex/HTViewSolution?urlname=Why-am-I-unable-to-log-in-with-Internet-Explorer-8-or-higher-1327108633834&language=en_US
IGCTOIGCTO

Your reply about changing settings in IE8 may be a possible solution for users who are using IE8, but my question is really about our web service and Salesforce callout to the SSL web service.  The information about IE8 was just a clue that maybe Salesforce is using similar code that Microsoft used in being unable to correctly identify the chain of trust.  Microsoft has fixed their issue in IE9, but Salesforce appears to be using code that is not working correctly.