Install godaddy ssl certificate on nginx, pem, bundle, crt
It's a bit unclear, by available instructions and forum posts, how to deal with the three files you'll get from Godaddy when purchasing a SSL Certificate from them. Godaddy isn't very forthright explaining it. In hindsight, now when knowing how to do it, one might think it is unwise of them not to detail this in instruction attached to the purchase; as it is not trivial to get it working.
When purchase Standard SSL certificate (Starfield SHA-2) or (Godaddy SHA-2) at GoDaddy. You indicate which server type you have and download a zip package. in the process, you also download two txt files.
For Nginx, you indicate server type 'other' and your zip file contains 3 files (1-3). In the process, also two more files are created (4-5) saved separately:
- 3423l4kj23l4j.crt
- 3423l4kj23l4j.pem
- sf_bundle-g2-g1.crt
- generated-private-key.txt
- generated-csr.txt
when opened in notepad, 1 and 2 above are identical
'-----BEGIN CERTIFICATE-----
MM123XXXXXX
XXXXXXXO8km
-----END CERTIFICATE-----'
sf_bundle-g2-g1.crt
above does not contains 1 or 2, but instead three separate entries
'-----BEGIN CERTIFICATE-----
XXXX1
XXXX2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXX3
XXXX4
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXX5
XXXX6
-----END CERTIFICATE-----'
generated-private-key.txt
is unique
'-----BEGIN PRIVATE KEY-----
XXXX7
XXXX8
-----END PRIVATE KEY-----'
and, finally, generated-csr.txt
, is also unique
'-----BEGIN CERTIFICATE REQUEST-----
XXXX9
XXXX0
-----END CERTIFICATE REQUEST-----'
In Nginx:
- I have created a folder,
/etc/nginx/ssl
- I edit
/etc/nginx/sites-enabled/default.conf
as below
;
server {
listen 80 default_server ;
listen [::]:80 default_server ;
I have changed this to:
server {
listen 443 ssl ;
listen [::]:443 ssl ;
server_name example.com;
ssl_certificate /etc/nginx/ssl/ ?????????.crt;
ssl_certificate_key /etc/nginx/ssl/ ???????.key;
As I it is a bit unclear what is what, and what a pem and bundle is, I'd like to ask which of the unzipped files goes where ?:
-
ssl_certificate
= crt, pem, bundle, gen_crt? -
ssl_certificate_key
= pem or private key?
UPDATE I did as @nikita-kipriyanov suggested, this worked.
- combined/concatenate by:
3423l4kj23l4j.pem sf_bundle-g2-g1.crt > fullchain.pem
This would become thessl_certificate
file - renamed the
generated-private-key.txt
into aprivkey.pem
file, then change file encoding of it:sudo iconv -c -f UTF8 -t ASCII privkey.pem >> privkey.pem
This would become thessl_certificate_key
file
It depends on what is inside the bundle. I am certain it contains the certification path up to the trusted CA, the question is: does it also include the end server certificate (it's the "full chain" in terms of Let's Encrypt) or not ("chain")? Also, which file contains the private key?
You can check that manually by simply looking with a text viewer (notepad, etc.) and comparing the contents, because the bundle in PEM format is nothing more than all the certificates in Base64 form concatenated starting with the server, then its issuer CA, and so on.
You can also cut any certificate beginning with -----BEGIN CERTIFICATE-----
up to -----END CERTIFICATE-----
, including both of these special lines, into dedicated file and decode it with openssl x509 -in file.pem -noout -text
. This way you'll know exactly which certificates are in the bundle.
If the PEM-formatted file contains something like -----BEGIN PRIVATE KEY----
, don't share it with anyone, keep it secret!
All files that only contain certificates, only have -----BEGIN CERTIFICATE-----
in them, are public. You can safely show them to anyone (and you will, in fact, because the server sends those certificates to the client during SSL session initiation step).
If your bundle already contains a full chain (i.e. begins with the end server certificate), then all work was done for you and skip the following step.
However, if it doesn't contain a full chain, you have to concatenate it yourself (it seems this is your case):
cat server.crt bundle.pem > fullchain.pem
Now, simply pass it into Nginx:
ssl_certificate fullchain.pem;
ssl_certificate_key privkey.pem;
See Nginx manual for details.