Forum: NGINX Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?

Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?
Posted by unknown (Guest)
on 2012-11-01 00:47
(Received via mailing list) 
I'm running nginx/1.3.8 on linux/64.

I'm installing a commercial cert in nginx (Comodo Essential SSL).

When I build the SSL chain in order per instructions from Comodo (Root
-> Intermediate(s)

  https://comodosslstore.com/blog/how-do-i-make-my-o...

I do

  cat AddTrustExternalCARoot.crt >  my.domain.com.CHAIN.crt
  cat UTNAddTrustSGCCA.crt       >> my.domain.com.CHAIN.crt
  cat ComodoUTNSGCCA.crt         >> my.domain.com.CHAIN.crt
  cat EssentialSSLCA_2.crt       >> my.domain.com.CHAIN.crt
  cat STAR_domain.com.crt        >> my.domain.com.CHAIN.crt


If use this CHAIN'd cert in my nginx conf,

  ssl                       on;
  ssl_verify_client         off;
  ssl_certificate           "/path/to/my.domain.com.CHAIN.crt";
  ssl_certificate_key       "/path/to/my.domain.com.key";

and start nginx, it fails,

  ==> error.log <==
  2012/10/31 16:36:44 [emerg] 8666#0:
  SSL_CTX_use_PrivateKey_file("/path/to/my.domain.com.key") failed
  (SSL: error:0B080074:x509 certificate
  routines:X509_check_private_key:key values mismatch)

If I simply switch the cert CHAIN build order, so the personal site crt
is *first* to,

+       cat STAR_domain.com.crt        >  my.domain.com.CHAIN.crt
-       cat AddTrustExternalCARoot.crt >  my.domain.com.CHAIN.crt
+       cat AddTrustExternalCARoot.crt >> my.domain.com.CHAIN.crt
  cat UTNAddTrustSGCCA.crt       >> my.domain.com.CHAIN.crt
  cat ComodoUTNSGCCA.crt         >> my.domain.com.CHAIN.crt
  cat EssentialSSLCA_2.crt       >> my.domain.com.CHAIN.crt
-       cat STAR_domain.com.crt        >> my.domain.com.CHAIN.crt

then start nginx, it starts correctly, with no error.  The site's
accessible from most locations.

But a check with

  https://www.ssllabs.com/ssltest/index.html

returns/reports

  "Chain issues   Incorrect order"

I'd like to get nginx to accept/use the correct/instructed CHAIN order
so that it starts-up correctly AND is reported 'correct order; by
testing sites.

Is this is a config issue on my end -- either nginx or the cert build?
Or a bug?
Edit | Move | Delete topic | Reply with quote
Re: Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?
Posted by Igor Sysoev (Guest)
on 2012-11-01 06:18
(Received via mailing list) 
On Nov 1, 2012, at 3:47 , chiterri@operamail.com wrote:

>
>   ssl_verify_client         off;
>
>
>
> I'd like to get nginx to accept/use the correct/instructed CHAIN order
> so that it starts-up correctly AND is reported 'correct order; by
> testing sites.
>
> Is this is a config issue on my end -- either nginx or the cert build?
> Or a bug?

http://nginx.org/en/docs/http/configuring_https_se...

cat STAR_domain.com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt 
UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > 
my.domain.com.CHAIN.crt


--
Igor Sysoev
http://nginx.com/support.html
Edit | Delete | Reply with quote
Re: Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?
Posted by Axel (Guest)
on 2012-11-01 08:30
(Received via mailing list) 
Hi,

I use portecle ( http://portecle.sourceforge.net/ ) to examine ssl
certificates.

Rgds, Axel


Am 01.11.2012 00:47, schrieb chiterri@operamail.com:
Edit | Delete | Reply with quote
Enable email notification | Enable multi-page view
Please log in before posting. Registration is free and takes only a minute.
Existing account (Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
No account? Register here.
Powered by RForum and Captchator. Contact information - E-Mail: webmaster (at) ruby-forum (dot) com.