GoDaddy SSL Certificate with Nginx

Installing a SSL certificate from Go Daddy is a bit different then other providers.  With Go Daddy you must install a intermediate or chain certificate addition to your CA certificate. Nginx does not have a option, how Apache dose, for chain certificates. So to accomplish this, we look to the Nginx documentation:

If intermediate certificates should be specified in addition to a primary certificate, they should be specified in the same file in the following order: the primary certificate comes first, then the intermediate certificates.[ref]Nginx Module ngx_http_ssl_module[/ref]

What that means is this.  Download your CA from with your private certificate from Go Daddy.  Next download the gd_bundle.crt from https://certs.godaddy.com/anonymous/repository.seam.

After you have download the gd_bundle.crt file, copy it to the same directory on your Nginx server and run something similar to:

cat godaddy-ca.crt > godaddy-chain.crt && cat gd_bundle.crt >> godaddy-chain.crt

Now just add this new certificate to your nginx.conf per normal

ssl_certificate godaddy-chain.crt
Advertisements

Creating Self-signed SSL Certificates for Dovecot & Postfix

Self-signed SSL certificates are the easiest way to get your SSL server working. However unless you take some action to prevent it, this is at the cost of security:

  • The first time the client connects to the server, it sees the certificate and asks the user whether to trust it. The user of course doesn’t really bother verifying the certificate’s fingerprint, so a man-in-the-middle attack can easily bypass all the SSL security, steal the user’s password and so on.
  • If the client was lucky enough not to get attacked the first time it connected, the following connections will be secure as long as the client had permanently saved the certificate. Some clients do this, while others have to be manually configured to accept the certificate.

The only way to be fully secure is to import the SSL certificate to client’s (or operating system’s) list of trusted CA certificates prior to first connection. See SSL/CertificateClientImporting how to do it for different clients.

Building Dovcot’s Self-Signed Certificates

Dovecot includes a script to build self-signed SSL certificates using OpenSSL. First you need to find the dovecot-openssl.cnf file.

  • Configuring the Certificate Config File

The best way on Fedora to do this is via the locate command.

locate dovecot-openssl.cnf

Mine was located at /etc/pki/dovecot/dovecot-openssl.cnf. Now that you have found the file you need to add your server information to it, like this:

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=US

# State or Province Name (full name)
ST=MN

# Locality Name (eg. city)
L=SaintPaul

# Organization (eg. company)
O=example.com

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=*.example.com

# E-mail contact
emailAddress=postmaster@example.com[ cert_type ]
nsCertType = server
  • Build the Certificates
/usr/libexec/dovecot/mkcert.sh
  • Modifying Dovecot

You will need to add the following to your /etc/dovecot.conf file:

ssl_listen = 993
ssl_disable = no
ssl_cert_file = /etc/postfix/smtpd.pem
ssl_key_file = /etc/postfix/smtpd.pem
auth_cache_size = 128

Then restart Dovecot

/sbin/service dovecot restart
gutter='0'