Score:3

Install godaddy ssl certificate on nginx, pem, bundle, crt

cn flag

It's a bit unclear, by available instructions and forum posts, how to deal with the three files you'll get from Godaddy when purchasing a SSL Certificate from them. Godaddy isn't very forthright explaining it. In hindsight, now when knowing how to do it, one might think it is unwise of them not to detail this in instruction attached to the purchase; as it is not trivial to get it working.

When purchase Standard SSL certificate (Starfield SHA-2) or (Godaddy SHA-2) at GoDaddy. You indicate which server type you have and download a zip package. in the process, you also download two txt files.

For Nginx, you indicate server type 'other' and your zip file contains 3 files (1-3). In the process, also two more files are created (4-5) saved separately:

  1. 3423l4kj23l4j.crt
  2. 3423l4kj23l4j.pem
  3. sf_bundle-g2-g1.crt
  4. generated-private-key.txt
  5. generated-csr.txt

when opened in notepad, 1 and 2 above are identical

'-----BEGIN CERTIFICATE-----
MM123XXXXXX
XXXXXXXO8km
-----END CERTIFICATE-----'

sf_bundle-g2-g1.crt above does not contains 1 or 2, but instead three separate entries

'-----BEGIN CERTIFICATE-----
XXXX1
XXXX2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXX3
XXXX4
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXX5
XXXX6
-----END CERTIFICATE-----'

generated-private-key.txt is unique

'-----BEGIN PRIVATE KEY-----
XXXX7
XXXX8
-----END PRIVATE KEY-----'

and, finally, generated-csr.txt, is also unique

'-----BEGIN CERTIFICATE REQUEST-----
XXXX9
XXXX0
-----END CERTIFICATE REQUEST-----'

In Nginx:

  1. I have created a folder, /etc/nginx/ssl
  2. I edit /etc/nginx/sites-enabled/default.conf as below

;

server {
        listen 80 default_server ;
        listen [::]:80 default_server ;

I have changed this to:

server {
        listen 443 ssl ;
        listen [::]:443 ssl ;
        server_name example.com;

        ssl_certificate /etc/nginx/ssl/ ?????????.crt;
        ssl_certificate_key /etc/nginx/ssl/ ???????.key;

As I it is a bit unclear what is what, and what a pem and bundle is, I'd like to ask which of the unzipped files goes where ?:

  • ssl_certificate = crt, pem, bundle, gen_crt?
  • ssl_certificate_key = pem or private key?

UPDATE I did as @nikita-kipriyanov suggested, this worked.

  • combined/concatenate by: 3423l4kj23l4j.pem sf_bundle-g2-g1.crt > fullchain.pem This would become the ssl_certificate file
  • renamed the generated-private-key.txt into a privkey.pem file, then change file encoding of it: sudo iconv -c -f UTF8 -t ASCII privkey.pem >> privkey.pem This would become the ssl_certificate_key file
Nikita Kipriyanov avatar
za flag
All your files are in PEM format. It seems *you need* to concatenate your cert and bundle as per answer below and use that for `ssl_certificate`. Use generated-private-key file for `ssl_certificate_key`. I think that was pretty clear from an answer, but your edit makes this more explicit.
dave_thompson_085 avatar
jp flag
Are you sure that's `sf_bundle-g1-g1`? It doesn't make sense to chain a root to itself, and [GoDaddy's repository](https://certs.godaddy.com/repository) has `sf_bundle-g2-g1` and `sf_bundle-g2` but no `sf_bundle-g1-g1`.
Jaco avatar
cn flag
good spot @dave_thompson_085 , its was a typo, have corrected it
Score:3
za flag

It depends on what is inside the bundle. I am certain it contains the certification path up to the trusted CA, the question is: does it also include the end server certificate (it's the "full chain" in terms of Let's Encrypt) or not ("chain")? Also, which file contains the private key?

You can check that manually by simply looking with a text viewer (notepad, etc.) and comparing the contents, because the bundle in PEM format is nothing more than all the certificates in Base64 form concatenated starting with the server, then its issuer CA, and so on.

You can also cut any certificate beginning with -----BEGIN CERTIFICATE----- up to -----END CERTIFICATE-----, including both of these special lines, into dedicated file and decode it with openssl x509 -in file.pem -noout -text. This way you'll know exactly which certificates are in the bundle.

If the PEM-formatted file contains something like -----BEGIN PRIVATE KEY----, don't share it with anyone, keep it secret!

All files that only contain certificates, only have -----BEGIN CERTIFICATE----- in them, are public. You can safely show them to anyone (and you will, in fact, because the server sends those certificates to the client during SSL session initiation step).


If your bundle already contains a full chain (i.e. begins with the end server certificate), then all work was done for you and skip the following step.

However, if it doesn't contain a full chain, you have to concatenate it yourself (it seems this is your case):

cat server.crt bundle.pem > fullchain.pem

Now, simply pass it into Nginx:

ssl_certificate fullchain.pem;
ssl_certificate_key privkey.pem;

See Nginx manual for details.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.