first, i needed to convert the ssl key to the old format, using this command:
openssl rsa -in cert.key -out cert.rsa.key
(which is referenced at https://docs.platform.sh/user_guide/using/going-live.html#generate-csr)
even though i added the cert with the cert and key, using:
platform domain:add --cert=/.../cert.crt --key=/.../cert.rsa.key -- DOMAIN.com
checking the site,
https://www.sslshopper.com/ssl-checker.html#hostname=https://DOMAIN.com/
showed me that the site was not fully SSL configured, saying some browsers wouldn't accept the cert without intermediates
brought me to
https://www.godaddy.com/help/installing-an-ssl-certificate-nginx-6722
which linked to
https://certs.godaddy.com/repository/
where i guessed i needed: gdroot-g2.crt, but got this from platform.sh:
400 [reason phrase] Bad Request [message] The server could not comply
with the request since it is either malformed or otherwise incorrect.
[detail] {"ssl.chain.0":"-----BEGIN CERTIFICATE----- is not a valid PEM
encoded CERTIFICATE"} [title] Bad Request
so then figured i needed this PEM: gdig2.crt (pem)
so downloaded that and ran:
platform domain:add --cert=/.../cert.crt --key=/.../cert.rsa.key --chain=/.../gdig2.crt -- DOMAIN.com
... that worked