Unable to Find Valid Certificate Path for Google Checkout Notification on IIS6

Well this was a fun one. For onelittlebow.com, we're using Google Checkout as one of our checkout methods. Recently we just switched to using a virtual dedicated server rather than the normal shared hosting environment at GoDaddy. Their shared hosting never really supported Google Checkout notifications because their shared IIS servers were configured to use Basic Authentication with Windows and always pre-authenticated the request. Since the merchantID and key wasn't a valid NT account on the server IIS would always kick back a 401 response and ASP.NET wouldn't even touch the request.

Now with the virtual dedicated environment, we are finally able to use these callbacks and handle the authentication header ourselves in code (or by setting up an account on the server).  But in production, we must use fully trusted SSL. That's not a huge deal; we just purchased one of their SSL certs and installed in on our server. Easy peasy right?  Well if you're like me and you're not super familiar with the nitty gritty details of SSL and certificate validation, then you might be getting this error in the Integration Console on Google Checkout's admin page.

We encountered an error trying to access your server at https://somewhere.com/callback_endpoint -- the error we got is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

When you pull it up in a browser, everything 'seems' fine, but I did notice Google Chrome didn't like it too much with the big red warning page about its invalid certificate. Not really understanding why, I started asking questions on the forums and to Google Checkout's support. They came back instructing me to fully install the certificate path. Soon after, I found this useful article on GoDaddy’s support website.  You can find links for IIS 5 and IIS 7 here.

Basically, this article walks through the process of setting it up on your IIS6 server. The issue I had was related to not installing the intermediate certificates along with my IIS certificate. I also had to disable a previously installed root certificate.

After that, all was well. Our Google notifications started working the second we re-enabled them, and my browsers fully trusted our certificate.