Complete SSL Chain Verification With GoDaddy SSL Certificate And Nginx

Feb 19, 2014Ryan Burnette

If you are using an Nginx web server and want to install an SSL certificate signed by GoDaddy, their instructions may leave an important step out. The SSL certificate they provide you with lacks the complete chain of authenticity. Some browers may appear to function properly, but without the complete chain you won't actually have a correctly installed certificate. Here's a tool I like to use for testing SSL certificates.

You'll need to generate a certificate signing request on your server in order to request the certificate from GoDaddy. It's critical that you keep the answers to the questions you are prompted with consistent between the CSR and your SSL certificate information with your registrar. For common name, use the domain name you plan to secure.

sudo openssl req -new -newkey rsa:2048 -nodes -keyout -out

You may be required to submit a CSR to GoDaddy in order to receive your key. This should only apply in cases where you are re-keying, or moving from one server to another.

Once you download your certificate from GoDaddy you'll have two files. The certificate and a bundle. For me, the bundle has never functioned properly. Here's how to build the bundle yourself.

Start by downloading gd_bundle.crt and gd_intermediate.crt from GoDaddy's certificate repository.

Next, combine your certificate with these two certificates. This can be done by creating a new file and pasting the certificates in, or from the command line like so.

cat godaddy_cert.crt gd_bundle.crt gd_intermediate.crt >> yourdomain.crt

You may want to set ownership and permissions to match your other certificates after creating it.

From there make sure you have SSL configured properly in Nginx. Here's a snippet I work from, you may need to tweak it to match your configuration.

listen 443 ssl;
ssl_certificate /etc/nginx/ssl/yourdomain.crt; #This is the bundle we created
ssl_certificate_key /etc/nginx/ssl/yourdomain.csr; #This is the CSR we created first
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
Blog Index