Using Godaddy SSL Certificates with NGINX

Have you just installed your new Godaddy certificate into your NGINX web server, and are you finding that some browsers (notably Safari) don’t trust your website when using your Godaddy SSL Certificate?

This is manifest by the error message “Safari can’t identify the identity of the website ‘your.url.here’” and is caused by the “chain of trust” being incomplete between your certificate and any of the root certificates that your browser client has installed.

Here’s a quick cure for an NGINX installation:

Download the gd_bundle.crt and gd_intermediate.crt certificates from Godaddy’s certificate repository, then combine them:

cat yourcert.crt gd_intermediate.crt gd_bundle.crt > yourcert_bundle.crt

This concatenates your certificate and the Godaddy intermediate certificates into one file. Put the file yourcert_bundle.crt in the place that NGINX is looking for your certs (specified in nginx.conf). Reload your NGINX configuration with:

kill -HUP <pid of nginx>

You should be ready to go! If you want more information on the entire chain of trust, you can download the Godaddy root certificate (gd-class2-root.crt) and use the OpenSSL command utility:

openssl s_client -CAfile gd-class2-root.crt -connect www.yourdomain.com:443  -verify 10

This will pull the certificate from yourdomain.com server, and attempt to verify the chain of trust to whatever root you’ve specified (-CAfile gd-class2-root.crt):

verify depth is 10
CONNECTED(00000003)
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify return:1
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07992287
verify return:1
depth=0 /O=*.yourdomain.com/OU=Domain Control    Validated/CN=*.yourdomain.com
verify return:1
—-
Certificate chain
 0 s:/O=*.yourdomain.com/OU=Domain Control Validated/CN=*.yourdomain.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07992287
 1 s:/O=*.yourdomain.com/OU=Domain Control Validated/CN=*.yourdomain.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07992287
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07992287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
—-
Server certificate
<Continued Output>

This shows that the certificate obtained from the site was verified all the way to a root certificate (specified by -CAfile).

One thought on “Using Godaddy SSL Certificates with NGINX

  1. Brilliant. Just what I needed. Although catting the files together gave me this half way though:

    —–END CERTIFICATE———-BEGIN CERTIFICATE—–

    Which just needed a line break half way through to set right.

Comments are closed.