3

I had a certificate expire today and needed to get one reissued from GoDaddy. In the past, I've had no trouble using the pem encodings they generate with the ELB SSL interface. However, when I try to include the SHA-2 bundle (the pem encoded list of certificates in the cert chain) in the certificate chain text area, I get a "Invalid Public Key Certificate" error. If I don't include the certificate chain, I'm able to configure the certificate (however it doesn't validate on iOS and Android).

When I did this a year ago I had no trouble. Also, I should note that this bundle file works just fine with two Apache servers that are not behind load balancers.

Chris Thompson
  • 165
  • 1
  • 7
  • 1
    What is "the SHA-2 bundle"? – Michael Hampton Jan 15 '14 at 03:53
  • Does the bundle file which you're trying to add in include your certificate as well? When I've installed SSL certificates on Stunnel, I've had to bundle the private key, certificate and chain certificate into the one .PEM file for it to work, but Amazon requires them to be separately added. – jaseeey Jan 15 '14 at 03:59
  • @JasonIlicic as far as I can tell, none of the certificates in the cert chain bundle file are the same as the signed cert GoDaddy issued. – Chris Thompson Jan 15 '14 at 04:03
  • @MichaelHampton Does my edit help clarify things? – Chris Thompson Jan 15 '14 at 04:04
  • 1
    Are you able to try and invert the order of the certificates in the CA bundle file? So put the bottom one on the top, and vice versa. Just reading around and came across this: http://stackoverflow.com/questions/14263355/certificate-keys-conversion – jaseeey Jan 15 '14 at 04:07
  • @JasonIlicic yeah I found that as well. Still no luck... – Chris Thompson Jan 15 '14 at 04:15

2 Answers2

4

Use gd_bundle-g2.crt instead.

Thank you to my friends over at trusted advisor.

Quick Review

  1. Ensure private key is in RSA format without a password.

    openssl rsa -in private.key -text > private.pem

  2. Your .crt file from godaddy is probably already in pem format.

    openssl x509 -inform PEM -in blahblah.crt > public.pem

  3. Download gd_bundle-g2.crt from https://certs.godaddy.com/anonymous/repository.pki

Field mappings (Dear amazon, this form is terrible.)

  • Private Key -> private.pem
  • Public Key Certificate -> public.pem
  • Certificate Chain -> gd_bundle-g2.crt

If your form looks like this, these instructions probably still apply. https://i.stack.imgur.com/yB918.png

Community
  • 1
danvine
  • 56
  • 1
0

Supporting evidence ... I too am having this problem with a GoDaddy SHA-2 intermediate certificate (gd_bundle-g2-g1.crt).

It fails on the AWS console, from "aws cli" and using "openssl verify":

gd_bundle-g2-g1.crt: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=https://certs.godaddy.com/repository//CN=Go Daddy Root Certificate Authority - G2 error 20 at 0 depth lookup:unable to get local issuer certificate

I have tried inverting the order and other things mentioned here and other places and thus far no luck.

benjchristensen
  • 101
  • 1