We buy some of our SSL certificates for public-facing servers from Comodo. I wish we didn’t.
Comodo has proven to be less than pleasurable to work with over the last 24 hours. Extremely.
Okay, let’s rewind about 36 hours. One of our servers bit the dust. Dead. Completely. The hard drives (two of ‘em, in RAID1) were shot. Yes, both of them (no backups, either). That, in and of itself, wasn’t too bad. The server doesn’t provide any mission-critical services, the only function it provides is there more as a convenience to users. Anyways, I spent most of yesterday building a new Red Hat Enterprise Linux server inside of VMware’s ESX Server. Got the application (a web app) installed, set up, configured to authenticate against Active Directory, SELinux working properly with it, the firewall opened up, etc. The only left to do was put a “real” SSL certificate on it. And that’s when the problems with Comodo began.
The server in question had an SSL certificate from Comodo. No problem, I’ll log in to my account on their web site and tell it I want to “replace” the certificate. As far as I can tell, the “replace” function simply revokes the current certificate and allows you to generate a new one (with the same expiration date, etc.). No problem there, I paste in the Certificate Signing Request (CSR), click a few more buttons, and submit the request.
Now, usually when we get a new certificate from them, it’s done pretty quickly. The only time we had problems was the first time we bought certs from ‘em. We had to provide a bunch of documentation proving that we really were who we said we were (we’re an .edu). No worries, got everything together, FAX’d it in, and we were good; had our certs a short time later. For every order since then, it’s been a pretty quick turnaround from the time we submit a CSR until the time we get the signed certificate back — everything seems to be handled automatically (which makes sense, right?).
So… I paste in the CSR, click a few buttons, and submit the request. Did I mention this was at about 1am? I went back to working on some other things, waiting for the certificate to be generated. Came back a bit later, logged in to Comodo’s website, checked the status. It’s “Awaiting Validation”. I waited another hour or so and checked again. Nope, no change. Finally, around 4am, I go to bed.
I get up today and one of the first things I do is to check the status. The server is ready to go, with the exception of having the “real” SSL certificate installed. I always try to get my users not to “click through” and bypass certificate errors, so I don’t want to make the server available to everyone with an SSL certificate that’s going to cause errors to be displayed. First I try the online chat support option. I talk to a guy who tells me that the certificate wasn’t issued because the address on the account (which is the address where my building is physically located) is different than the address listed in the WHOIS database (which has the address of where our main office is located). We have 40+ sites scattered around the state, so that makes sense. I try to explain this to the support guy and tell him that this has never been an issue before. He tells me that I need to submit documentation from our ISP stating that we’re really who I say we are. Whatever… I click the “X” in the top right corner of the window and, POOF, he’s gone.
Next up is a phone call. I call the support number and manage to finally get through to a real person. I try to explain the situation and this guy was marginally helpful. He tells me basically the same thing, except that I can send in something from a “third-party”. It can’t be anything we “manufactured”, like a letter on our official letterhead with our physical address on it. “A bank statement, a utility bill, something like that” will work, he tells me. Fine, I hang up.
Now I’m running all over the damn place and finally talk to someone who gives me a copy of the first page of our latest bill from the energy company (which the appropriate information marked out, of course). I head for the FAX machine and immediately FAX the energy bill into the number they gave me (along with all the other identifying information they’d need to tie it to my account). I follow that up with an e-mail referencing that same information and letting them know that I just FAX’d it in. I sent that e-mail at 12:31pm today.
Around 7pm, after I fell asleep for hours from being up all night, I logged into their site and checked the status again, expecting my certificate to be ready. Nope. No change at all. I try the online chat application again, but apparently that department isn’t available. I wait a bit and try again. Same thing. Just under three hours ago, I sent a slightly shitty e-mail to their support@ alias, hoping that might spur someone to take action. As of right now, still nothing.
I have a number of SSL certificates from Comodo that will expire in the next several months and will have to be renewed. If this shit isn’t resolved quick, we won’t be a customer much longer. This is entirely too much bullshit to deal with to replace an existing certificate with a new one with exactly the same data!
I WOULD NOT recommend Comodo to anyone. That’s all. Good day. =)
June 14th, 2007 at 6:46 pm
Jeremy, I must apologize sincerely for your trouble. You got caught up in a policy change which I instituted late last week. In a nut-shell, I instructed my team that we really should be giving a little more attention to renewals and re-issuances to be sure that we are not issuing certificates with data that is out of date. This can happen for any number of reasons; a business moves, merges with another company, changes their name, etc. You have pointed out some flaws in my execution of that new policy, especially regarding universities and other large de-centralized institutions, and I assure you I will work with my team to try to insure that we don’t lock out another existing customer who is in the midst of an emergency situation as you were here. I sincerely apologize for the inconvenience which this has caused. I’ve been in those kinds of situations as an admin myself and can appreciate the level of stress you were already undergoing, only to have us add to it. First let me say, please contact me directly if this has not yet been resolved so that I can get this certificate straightened out for you immediately. You now have my direct email address and I will monitor throughout the evening. Secondly, on behalf of Comodo, we would like to offer you your next certificate free of charge in recognition of the massive inconvenience we have caused in this situation. Please contact me directly with your order details and I will make certain that we get this all straightened out for you. Once again, my apologies. Sincerely, Rich Smith Validation Manager - Comodo
June 23rd, 2007 at 2:23 pm
[…] days ago, I wrote about my troubles with SSL Certificate Validation at Comodo. The next evening, I was notified of a comment posted by Rich Smith, Validation Manager at Comodo. […]
September 10th, 2007 at 9:11 pm
[…] just attempted to renew a three-year-old SSL certificate that’s about to expire (read about my last experience). It’s “awaiting validation”, just like last time. We’ll see it how […]