Using Godaddy SSL Certificates with NGINX
Have you just installed your new Godaddy certificate into your NGINX web server, and are you finding that some browsers (notably Safari) don’t trust your website when using your Godaddy SSL Certificate?
This is manifest by the error message “Safari can’t identify the identity of the website ‘your.url.here'” and is caused by the “chain of trust” being incomplete between your certificate and any of the root certificates that your browser client has installed.
Here’s a quick cure for an NGINX installation:
Download the gd_bundle.crt and gd_intermediate.crt certificates from Godaddy’s certificate repository, then combine them:
cat yourcert.crt gd_intermediate.crt gd_bundle.crt > yourcert_bundle.crt
This concatenates your certificate and the Godaddy intermediate certificates into one file. Put the file yourcert_bundle.crt in the place that NGINX is looking for your certs (specified in nginx.conf). Reload your NGINX configuration with:
kill -HUP <pid of nginx>
You should be ready to go! If you want more information on the entire chain of trust, you can download the Godaddy root certificate (gd-class2-root.crt) and use the OpenSSL command utility:
openssl s_client -CAfile gd-class2-root.crt -connect www.yourdomain.com:443 -verify 10
This will pull the certificate from yourdomain.com server, and attempt to verify the chain of trust to whatever root you’ve specified (-CAfile gd-class2-root.crt):
verify depth is 10 CONNECTED(00000003) depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority verify return:1 depth=1 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07992287 verify return:1 depth=0 /O=*.yourdomain.com/OU=Domain Control Validated/CN=*.yourdomain.com verify return:1 —- Certificate chain 0 s:/O=*.yourdomain.com/OU=Domain Control Validated/CN=*.yourdomain.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07992287 1 s:/O=*.yourdomain.com/OU=Domain Control Validated/CN=*.yourdomain.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07992287 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07992287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority —- Server certificate <Continued Output>
This shows that the certificate obtained from the site was verified all the way to a root certificate (specified by -CAfile).