It's a bit unclear, by available instructions and forum posts, how to deal with the three files you'll get from Godaddy when purchasing a SSL Certificate from them. Godaddy isn't very forthright explaining it. In hindsight, now when knowing how to do it, one might think it is unwise of them not to detail this in instruction attached to the purchase; as it is not trivial to get it working.
When purchase Standard SSL certificate (Starfield SHA-2) or (Godaddy SHA-2) at GoDaddy. You indicate which server type you have and download a zip package. in the process, you also download two txt files.
For Nginx, you indicate server type 'other' and your zip file contains 3 files (1-3). In the process, also two more files are created (4-5) saved separately:
- 3423l4kj23l4j.crt
- 3423l4kj23l4j.pem
- sf_bundle-g2-g1.crt
- generated-private-key.txt
- generated-csr.txt
when opened in notepad, 1 and 2 above are identical
'-----BEGIN CERTIFICATE-----
MM123XXXXXX
XXXXXXXO8km
-----END CERTIFICATE-----'
sf_bundle-g2-g1.crt
above does not contains 1 or 2, but instead three separate entries
'-----BEGIN CERTIFICATE-----
XXXX1
XXXX2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXX3
XXXX4
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXX5
XXXX6
-----END CERTIFICATE-----'
generated-private-key.txt
is unique
'-----BEGIN PRIVATE KEY-----
XXXX7
XXXX8
-----END PRIVATE KEY-----'
and, finally, generated-csr.txt
, is also unique
'-----BEGIN CERTIFICATE REQUEST-----
XXXX9
XXXX0
-----END CERTIFICATE REQUEST-----'
In Nginx:
- I have created a folder,
/etc/nginx/ssl
- I edit
/etc/nginx/sites-enabled/default.conf
as below
;
server {
listen 80 default_server ;
listen [::]:80 default_server ;
I have changed this to:
server {
listen 443 ssl ;
listen [::]:443 ssl ;
server_name example.com;
ssl_certificate /etc/nginx/ssl/ ?????????.crt;
ssl_certificate_key /etc/nginx/ssl/ ???????.key;
As I it is a bit unclear what is what, and what a pem and bundle is, I'd like to ask which of the unzipped files goes where ?:
ssl_certificate
= crt, pem, bundle, gen_crt?
ssl_certificate_key
= pem or private key?
UPDATE
I did as @nikita-kipriyanov suggested, this worked.
- combined/concatenate by:
3423l4kj23l4j.pem sf_bundle-g2-g1.crt > fullchain.pem
This would become the ssl_certificate
file
- renamed the
generated-private-key.txt
into a privkey.pem
file, then change file encoding of it: sudo iconv -c -f UTF8 -t ASCII privkey.pem >> privkey.pem
This would become the ssl_certificate_key
file