Installing SSL (GoDaddy) on NGINX
Complete step wise SSL installation guide. Achieving A+ score to SSL certs installation on server
In mac terminal,
cmd 1: cd ~/.ssh
cmd 2: ls
cmd 3: mkdir -p yourdomain.com
cmd 4: cd yourdomain.com
Step 1:
After creating a server key
openssl genrsa -des3 -out yourdomain.com.key 2048
Step 2: Running below command in so that I can load the key when needed.
openssl rsa -in yourdomain.com.key -out yourdomain.com.key
Step 3: Finally, I created a CSR file by running openssl req -nodes -new -key yourdomain.com.key -out yourdomain.com.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank.
For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
— — -
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:Organisation name
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:yourdomain.com
PS: For wildcard SSL Certificates
Common Name (eg, fully qualified host name) []: *.yourdomain.com
Email Address []: mail address
Step 4: To view CSR key
use vim yourdomain.com.csr
Then, you need to copy and paste the whole block, including
— — -BEGIN NEW CERTIFICATE REQUEST — — -
…
— — -END NEW CERTIFICATE REQUEST — — -
into GoDaddy’s online form, otherwise you get the error message you described.
Download SSL certificates, from this URL https://certs.godaddy.com/cert . For NGINX, you can opt for Apache server from dropdown list.
Soon after downloading, extract the zip file. you find two files.
Renaming above files
a) Random name.crt => yourdomain.com.crt
b) gd_bundle-g2-g1.crt => intermediate.crt
Now, we need to create chained certificate. For that
cat yourdomain.com.crt intermediate.crt >> yourdomain.com.chained.crt
=======================================
Now we need configure our,
/etc/nginx/sites-available/yourdomain.com.conf
I have attached sample reference from NGINX official documentation.
OCSP stapling:
- Download intermediate certificate from your SSL authorities. Here in our instance, GoDaddy.
https://certs.godaddy.com/repository - Run the below mentioned command in terminal
cat yourdomain.chained.crt gd_intermediate.crt > ocsp-chain.crt
Test OCSP stapling with below command
echo QUIT | openssl s_client -connect yourdomain.com:443 -status 2> /dev/null | grep -A 17 ‘OCSP response:’ | grep -B 17 ‘Next Update’
For OCSP debugging : https://serverfault.com/questions/630975/ocsp-validation-unable-to-get-local-issuer-certificate
Ref: From dear medium friend,
Recommended SSL Checkers:
a. https://ssltools.godaddy.com/views/certChecker
b. http://ssllabs.com/ssltest/analyze.html
Happy Exploration.
