Ssl – Certificate Chain with AWS ELB & GoDaddy Certs

amazon-web-servicesgodaddyssl

I'm trying to setup SSL on my AWS ELB, but I am thus far unable to figure out what goes into the "Certificate Chain" field. I receive the following error:

Unable to validate certificate chain. The certificate chain must start
with the immediate signing certificate, followed by any intermediaries
in order. The index within the chain of the invalid certificate is: -1

I have my private key & certificate in PEM format and uploaded. If I use these without the "optional" chain, it works untrusted. I have been poking around, trying to find an answer on what to put into the field, and this answer suggests downloading the gd_bundle-g2.crt – I have done this and converted it into PEM by running openssl x509 -inform PEM -in gd_bundle-g2.crt but the error remains. When I downloaded my certificate from GoDaddy, I was given a ZIP with my SSL certificate along with gdig2.crt and gd_bundle-g2-g1.crt. I have tried using these files in various combinations, and alone, but again, nothing.

What certificates go into the Certificate Chain, in what order, and in what format?

Best Answer

So the problem was several mistakes along the way for me. First, I took the -----BEGIN CERTIFICATE----- section from the PEM generated from my keytool keystore. Second, I was trying to convert the gd_bundle-g2-g1.crt file - it already contained exactly what I needed to use.

To start from the beginning - I used Digicert's Java Keytool to generate my commands to get my keystore and CSR using keytool. From there, I got a wildcard SSL certificate through GoDaddy and downloaded my certificate which was in a ZIP file along with gdig.crt and gd_bundle-g2-g1.crt. After this, I follwed to steps to get the private key from my keystore following this StackOverflow answer. However, the foo.pem file from this command required one more command, openssl rsa -in foo.pem -out foo.rsa to get the final form accepted by the AWS panel.

Now to fill in the SSL form on AWS:

Private Key: The contents of the foo.rsa file from the previous step.
Public Key Certificate: The contents of the <your_cert>.crt file provided by GoDaddy
Certificate Chain: The contents of the gd_bundle-g2-g1.crt file provided by GoDaddy

This has given me a successful SSL certificate setup for my AWS ELB, with the proper certificate path, giving me a trusted certificate.

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

AWS – How to Install Intermediate Certificates

concatenate the files provided manually, in the following order:

site.com.crt
intermediate.crt (one or more, the order of these doesn't matter)
ROOT.crt

you can do this from a shell with the cat command

cat site.com intermediate.crt ROOT.crt > site.chain.pem

or copy/paste them, no whitespace between, make sure certificates are on different lines

-----BEGIN CERTIFICATE-----
site cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root cert
-----END CERTIFICATE-----

Best Answer

Related Solutions

SSL Error – Unable to Read Server Certificate from File

AWS – How to Install Intermediate Certificates

Related Topic