SSL certificate chain

Hi,

I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM
encoded certificate file that contains the whole chain, 3 including Root
CA. But I can not get it to work. I have followed documentation at
Configuring HTTPS servers and
http://www.startssl.com/?app=42, but no matter what I do it seems I can
not get nginx to deliver more than one certificate. I have used both
http://portecle.sourceforge.net and SSL Server Test (Powered by Qualys SSL Labs) to
verify. Other services (e.g. dovecot IMAP server) on the same host using
same version of OpenSSL and same intermediate certificate and Root CA
works works fine. How can I troubleshoot what is going wrong with nginx?

Thanks in advance.

Make sure the server cert it first in the file, followed by the ca
certs.

Steve

Hi,

They are. I get no errors from nginx whatsoever, just that no
certificate after the first is never sent. If I change order I get error
about key not matching, which is to be expected.


daniel

Hi.
You can try to run a diagnostics for problem discovery and
recommendations

Posted at Nginx Forum:

Hello,

what’s your error?

you just need to copy both certificates in one file with ‘cat’ or sth.
similar. I use portecle to examine the chained file. Make sure that it’s
the right ca cert.

Regards, Axel

Am Sonntag, 1. September 2013, 19:11:04 schrieb Daniel Lundqvist:

Hi,

I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM
encoded certificate file that contains the whole chain, 3 including
Root
CA. But I can not get it to work. I have followed documentation at
Configuring HTTPS servers
and
Notice to all StartCom subscribers, but no matter what I do it seems I
can not
get nginx to deliver more than one certificate. I have used both
http://portecle.sourceforge.net and SSL Server Test (Powered by Qualys SSL Labs)
to
verify. Other services (e.g. dovecot IMAP server) on the same host
using
same version of OpenSSL and same intermediate certificate and Root
CA works

On 2013-09-02 11:59, Daniel Lundqvist wrote:

I have, it just says only 1 certificate is provided. Here are the test
results:
SSL Server Test: www.malarhojden.nu (Powered by Qualys SSL Labs)

I note that you’re using startcom for the certificate, I recall that the
intermediate certificate they say to use isn’t actually the one provided
and had to complete the certificate chain myself.

To build up my pem I started with the crt and key, then running “openssl
x509 -in cert.pem -noout -text” I was then able to download the correct
intermediate using the “CA Issuers - URI” provided in the certificate.
Appending this to the pem and retesting. Repeating the process for each
certificate until it became valid.

Authority Information Access:
OCSP -
URI:http://ocsp.startssl.com/sub/class1/server/ca
CA Issuers -
URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt

It might be worth checking if your intermediate matches the above
sub.class1.server.ca.crt one.

I have, it just says only 1 certificate is provided. Here are the test
results:
https://www.ssllabs.com/ssltest/analyze.html?d=www.malarhojden.nu


daniel

So mysteries solved. I believe.

A few things was wrong for me:

  1. I had a catch all virtual host using the same certificate file as
    main site (configured both with a “invalid” server name and
    default_server for both HTTP and HTTPS)

  2. It seems virtual server is also selected based on CN/SubjectAltName
    from certificate which I did not know (is this correct? Seem so from my
    testing)

So I changed the certificate on catch all virtual server to self signed
and now everything seems to be ok.

Sorry for taking up your time with my misconfigured server. At least I
learned something :slight_smile:


daniel