Forum: NGINX Verisign Intermediate CA issues

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
James Ochs (Guest)
on 2009-01-23 23:13
(Received via mailing list)
Hi all,

We have a verisign ssl cert and I've configured nginx with the .crt
file containing our cert and the verisign intermediate cert (in that
order in the file)

In MacOs  safari, both on the desktop and the iphone, I am getting
certificate errors (can't verify the identity).  Firefox on the same
platform says the certificate is ok, and IE in most cases says it is
ok.  I have had a couple of reports of IE7 complaining about the
validity of the certificate, but that has been sporadic.  I've also
checked it with curl (on linux and macos) and it complains as follows:

curl https://www.greennote.com
curl: (60) Peer certificate cannot be authenticated with known CA
certificates

Does anyone have any ideas of why this would happen?

My nginx.conf has this for ssl:

             ssl                  on;
             ssl_certificate      /etc/nginx/www.crt;
             ssl_certificate_key  /etc/nginx/prod.key;

             ssl_session_timeout  10m;
             ssl_session_cache    shared:SSL:10m;

             ssl_protocols  SSLv3 TLSv1;
             ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!
LOW:!SSLv2:+EXP;
             ssl_prefer_server_ciphers   on;

This problem was not happening on our hardware load balancers with the
same certificate, so I'm at a loss as to what to try next.

thanks,
james
Gabriel R. (Guest)
on 2009-01-23 23:46
(Received via mailing list)
Here's what I have:

                    ssl                 on;
                    ssl_certificate
/home/video/certs/video.freeproxies.org.crt;
                    ssl_certificate_key
/home/video/certs/video.freeproxies.org.key;

                    ssl_session_timeout  5m;

                    ssl_protocols  SSLv2 SSLv3 TLSv1;
                    ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
                    ssl_prefer_server_ciphers   on;

I haven't noticed any particular issues, but haven't tested in safari.
Would be interested to know if you get the same issue with mine (seems
my config is slightly different).

https://video.freeproxies.org/flvplayer.php is a good test url.
James Ochs (Guest)
on 2009-01-24 00:46
(Received via mailing list)
yep, I get the same error in safari on mac os and on the iphone with
the link you gave below.  firefox is happy.

If I add the intermediate certs to my keychain it stops complaining,
but thats not really a good solution for endusers.

Thanks,
james
Igor S. (Guest)
on 2009-01-24 17:19
(Received via mailing list)
On Fri, Jan 23, 2009 at 01:36:33PM -0800, Gabriel R. wrote:

>                     ssl_protocols  SSLv2 SSLv3 TLSv1;
>                     ssl_ciphers
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
>                     ssl_prefer_server_ciphers   on;
>
> I haven't noticed any particular issues, but haven't tested in safari.
> Would be interested to know if you get the same issue with mine (seems
> my config is slightly different).
>
> https://video.freeproxies.org/flvplayer.php is a good test url.

The site sends video.freeproxies.org certificate only without GoDaddy
intermidiate certificates. Firefox 3.1 on MacOSX run with fresh profile
does not accept the site. Firefox with daily used profile usually
accepts
the site as the GoDaddy intermidiate certificate may be already in
Firefox profile.

You need to go on
https://certs.godaddy.com/Repository.go

and download GoDaddy intermidiate certificate chain:
https://certs.godaddy.com/repository/gd_bundle.crt

Then you need to

cat video.freeproxies.org.crt gd_bundle.crt >
video.freeproxies.org.bundle.crt

and use the new bundle

       ssl_certificate
/home/video/certs/video.freeproxies.org.bundle.crt;
Igor S. (Guest)
on 2009-01-24 17:25
(Received via mailing list)
On Fri, Jan 23, 2009 at 01:02:45PM -0800, James Ochs wrote:

> Hi all,
>
> We have a verisign ssl cert and I've configured nginx with the .crt
> file containing our cert and the verisign intermediate cert (in that
> order in the file)

It seems that you get wrong Verisign intermediate cert:

 0 s:/C=US/ST=California/L=Redwood City/O=GreenNote, Inc/OU=IT/OU=Terms
of use at www.verisign.com/rpa (c)05/CN=www.greennote.com
   i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign

 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority

www.greennote.com is issued by

   /O=VeriSign Trust Network/OU=VeriSign, Inc.
   /OU=VeriSign International Server CA - Class 3
   /OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

but the second certificate is

   /C=US
   /O=VeriSign, Inc.
   /OU=VeriSign Trust Network
   /OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign
Class 3 Secure Server CA
Gabriel R. (Guest)
on 2009-01-24 20:17
(Received via mailing list)
Thanks for the heads up :)
James Ochs (Guest)
on 2009-01-24 20:43
(Received via mailing list)
crap.  yeah that was it ;)

Thanks!

James
This topic is locked and can not be replied to.