GoDaddy SSL Certificates - anyone have any experience?

My favorite guy, our CTO is back again, this time with more fun.

We've been using Verisign for our SSL certificates for years (like since 1994). When we bought the new companies our new CTO caused a major stink because everyone else in the other companies he's been supporting uses GoDaddy. After a giant goat-rodeo last year, we convinced him to just put in Verisign and we'd figure it out.

Well, now we're about to expire, and now he's decided we now have to need to change our stuff with a little more than a week. Not amused.

Current big question:

-- Do they issue test/development versions of certificates to customers so we can test our setup? We can't seem to find anything like that.

-- Anyone have any advice on dealing with them?

I refuse to deal with GoDaddy under any circumstances. They are sleazy, and their CEO is appalling.... this is the guy who was advocating torture a few years ago.

If you want a nice cheap registrar, use NameCheap.

How many certificates are we talking, anyway?

I use Digicert over GoDaddy.. I've used both and I'm now using Digicert 100% of the time.. I have good luck with them.

There's always a better answer than GoDaddy. For everything. Unless you're looking for videos of Danica Patrick where she acts like she's going to get naked but she never ever does!

Ahem.

For cheap-o certificates, we use DynaDot, which re-sells AlphaSSL and RapidSSL certs.

For anything beyond that - DigiCert is the correct answer.

I agree with you all, but I've already lost that argument, I'm afraid.

It's two production certificates, and then I want two other "development" certificates for our test and staging machines, which everyone else provides but apparently GoDaddy does not.

Latest salvo in the email jockeying made me throw my stress-foam thing across the room. Stupid son-of-a-beehive is using this as an excuse to push back on us having a test environment. At all.

double post for goodness

Being in a similar boat as momgamer, where there is no choice but to use GoDaddy due to corporate mandate (sorry but saying to not use them after she's said she has to seems a little less than helpful):

momgamer wrote:

-- Do they issue test/development versions of certificates to customers so we can test our setup? We can't seem to find anything like that.

- as far as I can tell, they do not provide test certs.

momgamer wrote:

-- Anyone have any advice on dealing with them?

- realize that there's a reason they are so cheap: you get very little support. If you have a problem, you are pretty much on your own. They do have a decent set of FAQs and Howtos, though, in case you need a little extra help.

Edit: link to their "SSL Help Center"

Their FAQs and written documentation vary wildly, but I've always gotten really smart help on the phone. Have you called yet?

momgamer wrote:

Latest salvo in the email jockeying made me throw my stress-foam thing across the room. Stupid son-of-a-beehive is using this as an excuse to push back on us having a test environment. At all.

IMAGE(http://images.trueheart78.com/general/DoubleFacePalm.jpg)

So they're going to put you through that much pain to save maybe eighty dollars? You've already spent more than that arguing about it!

clover wrote:

Have you called yet?

This. The only good thing I will ever say about GoDaddy is that their phone support team is generally very knowledgeable and helpful. Call them, and call them often. Since you're forced to use them, might as well make them earn their money.

ThatGuy42 wrote:
clover wrote:

Have you called yet?

This. The only good thing I will ever say about GoDaddy is that their phone support team is generally very knowledgeable and helpful. Call them, and call them often. Since you're forced to use them, might as well make them earn their money.

Yup. I don't spend more than 5 minutes in the documentation now; just work out what you need to know from them and get in the call queue.

One nice thing is that once the CSRs see that you're not inept, they will often give you more background or tell you how to make an end-run around something, rather than just "ok you're fixed" or "we don't do that".

Stay with VeriSign.

Well sure, but it's too late for that.

True, but technology is cyclical. You can always go back.

momgamer wrote:

Latest salvo in the email jockeying made me throw my stress-foam thing across the room. Stupid son-of-a-beehive is using this as an excuse to push back on us having a test environment. At all.

Just to be clear, he's saying that because GD doesn't have dev/test certs you should get rid of your testing environments? That's brilliant.

Dr.Ghastly wrote:
momgamer wrote:

Latest salvo in the email jockeying made me throw my stress-foam thing across the room. Stupid son-of-a-beehive is using this as an excuse to push back on us having a test environment. At all.

Just to be clear, he's saying that because GD doesn't have dev/test certs you should get rid of your testing environments? That's brilliant.

Sort of. He's just decided one doesn't need to test using the same technology as your production environment and one doesn't need to test any operations procedure. You just make the change directly on the live servers and then try one SSL function and if it works everything is fine. Oh, and we don't need to bother with any sort of rollback or emergency procedure if we find that something has gone wrong.

I cannot seem to get it through his adamantine skull that this "operations procedure" has tentacles all through the code. We have to switch out Verisign's veracity icons and all that supporting code, and SSL is a key component of both our login and subscription systems. If it's broken, users can't access their service. We also have a third-party component as part of our Help system (LivePerson) that has to be under SSL in order for it to be available to our customers when they're under SSL, and that's a giant can of worms on the top of almost every page in our site.

Oh, and there's a second site that uses that server for payments being run by the team out of Minnesota, and we'll need to coordinate with them to get their set of changes required by this live because they aren't able to do their own builds yet (another long story).

Have I mentioned this all has to be done before Thanksgiving?

In desperation yesterday, I suggested that since they're so cheap we purchase another regular GoDaddy certificate for our development site, and then issue self-signed certificates to testing and staging. That will let us double-check the actual GoDaddy service on dev, and then I can just double-check that SSL comes on and off in the right places on the way out through the rest of the process. I don't like it, but if that $100 is that crucial then we can try to work with it.

He's decided that he'll go for that, if our CEO directly tells him to do it and if I write a justification of our testing environment. He thinks it's all just a waste of resources and we should just make our changes directly to the live sites and do all development there.

He also just decided this morning that a huge change to our indexing process that is in the middle of testing must be done now because he's decided it, so he wanted to delete half of it because he thinks it's an emergency that he has that hard drive space free. BTW - it's not, and it impacts about three terrabytes of data, so it's not exactly going to be done today. When our CEO and the guy who's running the job join the party here in another hour and a half they're going to get greeted with that.

He sounds like a real winner.

He thinks it's all just a waste of resources and we should just make our changes directly to the live sites and do all development there.

That guy is a walking IT disaster.

You've got the right overall idea, MomGamer. You may be forced to do it his way, but you are in the right, and he is 100% wrong.

Totally out of my depth here, but can't you go over his head? Talk to his boss and warn them in no uncertain terms that this guy is about to explode everything to try and save the company a paltry amount of money. Emphasize try, because in the end he is probably going to end up costing the company a fortune on downtime, with all the issues you guys will end up having to overcome.

Document all of these interactions. When they happened, what you suggested, how you were rebuffed, what you tried next.

momgamer wrote:
Dr.Ghastly wrote:
momgamer wrote:

Latest salvo in the email jockeying made me throw my stress-foam thing across the room. Stupid son-of-a-beehive is using this as an excuse to push back on us having a test environment. At all.

Just to be clear, he's saying that because GD doesn't have dev/test certs you should get rid of your testing environments? That's brilliant.

Sort of. He's just decided one doesn't need to test using the same technology as your production environment and one doesn't need to test any operations procedure. You just make the change directly on the live servers and then try one SSL function and if it works everything is fine. Oh, and we don't need to bother with any sort of rollback or emergency procedure if we find that something has gone wrong.

I can see nothing bad coming of this plan.

Because of this:

Malor wrote:

...but you are in the right, and he is 100% wrong.

I totally support this plan of action:

Gaald wrote:

Totally out of my depth here, but can't you go over his head? Talk to his boss and warn them in no uncertain terms that this guy is about to explode everything to try and save the company a paltry amount of money. Emphasize try, because in the end he is probably going to end up costing the company a fortune on downtime, with all the issues you guys will end up having to overcome.

Seriously.

Being right doesn't mean getting to overrule policy or that going outside the chain of command won't cause you to be fired. Those sorts of tactics need to be used very carefully.

I can't go to his boss. Because his boss is supposed to be the same as mine. Unfortunately, he has a wide dotted-line to his boss in the other company (he's one of the people that was retained when we bought them), and that guy is totally on his side. He's a really neat person and knows anything there is to know about legal research, but that guy also has absolutely no idea how anything technical works (we just retired his TYPEWRITER last year).

I have already documented everything, and my boss is aware of the whole thing. I started doing that several fiascoes ago. Part of the problem is that these guys are still with the pay structure from their old company, which is the most ridiculous thing I've ever heard of. They work on the basis of billable hours. Even their support people like secretaries and accountants, and yes, their CTO. So he has to justify everything he does as part of getting paid. And to top it off, his bonus is at least partly based on the percentage of his budget he doesn't spend (which I think is a large part of this whole mess).

We already had that conversation about his wasting a ridiculous amount of money in terms of time and effort on this already last year. And I already lost that. The only thing that saved me then was a technical failure on GoDaddy's part. They've since fixed it, so I don't have anything concrete to fight with.

After the CTO threw that "I'll do it if the boss says so" over the wall last week, the boss (our boss, not his old boss) sent an email to all concerned basically saying that this is his job and he needs to man up and take responsibility for his decisions. Dead silence on this topic ever since. He's still having a giant cow about that indexing fix instead.

If I don't hear from him by today EOD Central, I'll send him an email. I've got to ask him for the account credentials so I can get their website to generate the verifier code we need to put into our sites and I need that tomorrow. I've got something else I've got to get done today or else so I wouldn't be able to work on it properly anyways.

As a professional QA Analyst, talk of eliminating a test environment makes me shudder and cry. I've been pushing for months now to get SSL certs installed in the test environment, and after two or three launches that needed rollbacks because of SSL issues that weren't testable with self-signed certs, I think we're finally getting them.

One of the rules of QA is that any difference between the test and live environments will definitely cause a major problem at some point. And let's not even discuss launching directly from dev to live. That's a bad idea always.

Update. He still hasn't told me what decision he's made, and not given me the account credentials so I can get the new validator code off GoDaddy's site. This has to be live and ready by the 19th.

I just sent him an email, and hopefully will get a straight answer out of him soon.

Are there other people you can cc when you write to him, so it's clear that any delay will be his fault? Or is that too political?

There are five other people on every communication I have with this man on this matter. :)

I did get an answer out of him. He told me he already ordered them, but then asked me a question that made it clear he couldn't have because he couldn't have placed the order without the answer (the value for CommonName is required).

I answered it, and then three four others and hopefully at the end of this volley we will really have placed the order.

Oh, Pinocchio...

I have worked for a similar type of IT manager. I call them the Douche-Master.

We're on volleying on question nine, but it looks like one of the certificates is possibly deployed. Three more to go.

What a goat rodeo!