GoDaddy SSL/TLS certs in the nginx reverse proxy for domain forwarding is configured incorrectly. See similar issue.
I've seen a number of posts skirting this topic, but none of them nailed it. I am a fairly competent and experienced in network & cloud services.
First, I will describe my issues, as an experience, in non technical terms - so that maybe this will help others. Then, I will dip into some technical findings that hopefully will help other GoDaddy users and GoDaddy support staff better identify the issue.
The background is of the issue is: 1) I have a GoDaddy domain: donationdesigns(dot)com, 2) I simply want this to be redirected to an etsy site. After this is configured, while using a web browser that enforces SSL (like Chrome) - An error is displayed that "Your connection is not private."
Here's the interesting part - works fine everywhere I tested, except Chrome on Windows 10.
GoDaddy has an SSL checker: https://ssltools.godaddy.com/views/certChecker. Even their own tool reports that SSL is configured incorrectly. Let the GoDaddy support staff know that theirs an SSL issue on the forwarding service & give them the link above.
At the time of this writing, GoDaddy uses IIS webserver & Etsy uses Apache
❯ date Wed Dec 16 15:26:44 EST 2020 ❯ curl -sIL -D - www.godaddy.com | grep server | uniq server: Microsoft-IIS/10.0 ❯ curl -sIL -D - www.etsy.com | grep server | uniq server: Apache ❯
When you request domain forwarding from GoDaddy, regardless of invocation (`Templates`, `Forwarding`,etc), they (seemingly) spin up a nginx reverse-proxy container on the `secureserver.net` domain (owned by GoDaddy.):
❯ date Wed Dec 16 15:31:36 EST 2020 ❯ curl -sIL -D - shortener.secureserver.net | grep server | uniq Location: https://shortener.secureserver.net/ server: nginx/1.16.1 ❯
The important thing to note here is - shortener.secureserver.net, is managed by GoDaddy, and runs nginx.
If you go to GoDaddy's ssltool site: https://ssltools.godaddy.com/views/certChecker, and put in your domain, you will see a bunch of metadata & headers. One of them being that the server will be nginx (ie - the shortner service.) Here is what mine looked like:
If you check the TLS certificate on the shortner service, you'll see its correct:
❯ date Wed Dec 16 15:42:55 EST 2020 ❯ echo | openssl s_client -connect shortener.secureserver.net:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS: DNS:shortener.secureserver.net, DNS:www.shortener.secureserver.net ❯
So whats the issue? The client (your web browser) is trying to validate SSL, and is looking for your domain (donationdesigns(dot)com in my case), but the provided SSL certs (from shortener.secureserver.net) do not have it, or append it to the cert. You can verify this going to sslshopper's test site: https://www.sslshopper.com/ssl-checker.html
In my case - worked fine on my MacOS & linux terminals, using a number of browsers, but not curl... It wasnt until a colleague on Windows & Chrome tested that we saw this issue.
I was on the phone w/ GoDaddy Support fsome time. I do not think the technician understood the data points I had provided & would not transfer to someone with a broader networking background. After 1 hour, the phone got disconnected.
Instead of re-calling, trying to explain all this again - figured I'd create this community post to help others and (selfishly) hope someone from GoDaddy sees it and resolves it.
Solved! Go to Solution.