1

I was trying to follow godaddy's instructions on how to add ssl certification for an nginx server on centos. On the last step (10) I was getting a "key mismatch" error.

With some research i found that by sigining the .crt with my key, that error went away.

i.e I ran:

 sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

replacing each instance of server with my domain name.

This eliminated the error and allowed me to proceed.

However when i try to access my website I now get a not secure connection error.

enter image description here

What did I do wrong and how can I properly enable ssl certification?

Makogan
  • 113
  • 3
  • 4
    *"What did I do wrong"* - in your attempt to fix the problem you've created a self-signed certificate, i.e. a certificate not trusted by the browser. Because of this the browser complains. It is hard to say what exactly you did wrong before that - likely you made a mistake while trying to follow the instructions. You might for example have used the wrong key, put the certificates in the wrong order or used the wrong certificates - impossible to tell based on your information. – Steffen Ullrich Nov 03 '18 at 20:20

2 Answers2

2

In some circumstances, a self-signed cert may be OK, but understand that doing so will render some sort of warning in just about any browser (and should rightly so).

With a self-signed cert, the browser is asked to establish a secure connection with a server which is presenting a "fictitious" certificate which the browser has no way to verify since the entity signing the certificate isn't known by the browser (the browser has an internal "catalog" of legitimate entities it will accept as valid Certificate Authorities). You can sometimes import your fictitious signing entity into the browser to get rid of the warnings, but with Letsencrypt it's really better to forego the hackery and just get a cert issued by a CA which is known legit by Microsoft, Google and Mozilla.

If you already have a legitimate CSR and cert, issued/signed by a legitimate CA, then maybe check out the Nginx guide for installing a Letsencrypt cert.

Server Fault
  • 3,714
  • 12
  • 54
  • 89
2

Depends on what you are trying to do.

Are you trying to make a self-signed certificate?

OR

You are going to buy SSL certificate from godaddy?

In case you are going to get a certificate from godaddy:

  1. generate CSR file along with the private SSL key: openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
  2. Follow the instructions from: https://ca.godaddy.com/help/nginx-on-centos-7-install-a-certificate-27192

In case of self-signed certificate:

  1. generate CA ROOT key SSL

    openssl genrsa -out rootca.key 2048

  2. Generate CA ROOT PUBLIC SSL

    openssl req -x509 -new -nodes -key rootca.key -sha256 -days 1024 -out rootca.pem

  3. Generate Domain private SSL:

    openssl genrsa -out mydomain.key 2048

  4. Generate Domain CSR SSL openssl req -new -key mydomain.key -out mydomain.csr

  5. Generate public SSL key for the domain using the ROOT CA SSLs (that is what usually done by the SSL provider)

    openssl x509 -req -in mydomain.csr -CA rootca.pem -CAkey rootca.key -CAcreateserial -out mydomain.pem -days 1024 -sha256

where,

mydomain.key - your private SSL, that you will use in your nginx config: ssl_certificate_key

mydomain.pem - you public SSL, that you will use in your nginx config: ssl_certificate

rootca.pem - CA SSL, that you will need to install in your browser (e.g. Firefox)

Dmitriy Kupch
  • 471
  • 2
  • 6