I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM
encoded certificate file that contains the whole chain, 3 including Root
CA. But I can not get it to work. I have followed documentation at Configuring HTTPS servers and http://www.startssl.com/?app=42, but no matter what I do it seems I can
not get nginx to deliver more than one certificate. I have used both http://portecle.sourceforge.net and SSL Server Test (Powered by Qualys SSL Labs) to
verify. Other services (e.g. dovecot IMAP server) on the same host using
same version of OpenSSL and same intermediate certificate and Root CA
works works fine. How can I troubleshoot what is going wrong with nginx?
They are. I get no errors from nginx whatsoever, just that no
certificate after the first is never sent. If I change order I get error
about key not matching, which is to be expected.
you just need to copy both certificates in one file with ‘cat’ or sth.
similar. I use portecle to examine the chained file. Make sure that it’s
the right ca cert.
Regards, Axel
Am Sonntag, 1. September 2013, 19:11:04 schrieb Daniel Lundqvist:
Hi,
I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM
encoded certificate file that contains the whole chain, 3 including
Root
CA. But I can not get it to work. I have followed documentation at Configuring HTTPS servers
and Notice to all StartCom subscribers, but no matter what I do it seems I
can not
get nginx to deliver more than one certificate. I have used both http://portecle.sourceforge.net and SSL Server Test (Powered by Qualys SSL Labs)
to
verify. Other services (e.g. dovecot IMAP server) on the same host
using
same version of OpenSSL and same intermediate certificate and Root
CA works
I note that you’re using startcom for the certificate, I recall that the
intermediate certificate they say to use isn’t actually the one provided
and had to complete the certificate chain myself.
To build up my pem I started with the crt and key, then running “openssl
x509 -in cert.pem -noout -text” I was then able to download the correct
intermediate using the “CA Issuers - URI” provided in the certificate.
Appending this to the pem and retesting. Repeating the process for each
certificate until it became valid.
I had a catch all virtual host using the same certificate file as
main site (configured both with a “invalid” server name and
default_server for both HTTP and HTTPS)
It seems virtual server is also selected based on CN/SubjectAltName
from certificate which I did not know (is this correct? Seem so from my
testing)
So I changed the certificate on catch all virtual server to self signed
and now everything seems to be ok.
Sorry for taking up your time with my misconfigured server. At least I
learned something
–
daniel
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.