SSL certificate chain

Hi,

I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM
encoded certificate file that contains the whole chain, 3 including Root
CA. But I can not get it to work. I have followed documentation at
http://nginx.org/en/docs/http/configuring_https_servers.html#chains and
http://www.startssl.com/?app=42, but no matter what I do it seems I can
not get nginx to deliver more than one certificate. I have used both
http://portecle.sourceforge.net and https://www.ssllabs.com/ssltest/ to
verify. Other services (e.g. dovecot IMAP server) on the same host using
same version of OpenSSL and same intermediate certificate and Root CA
works works fine. How can I troubleshoot what is going wrong with nginx?

Thanks in advance.

Make sure the server cert it first in the file, followed by the ca
certs.

Steve

Hi,

They are. I get no errors from nginx whatsoever, just that no
certificate after the first is never sent. If I change order I get error
about key not matching, which is to be expected.


daniel

Hi.
You can try to run a diagnostics for problem discovery and
recommendations

https://www.ssllabs.com/ssltest/

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,242410,242417#msg-242417

Hello,

what’s your error?

you just need to copy both certificates in one file with ‘cat’ or sth.
similar. I use portecle to examine the chained file. Make sure that it’s
the right ca cert.

Regards, Axel

Am Sonntag, 1. September 2013, 19:11:04 schrieb Daniel Lundqvist:

Hi,

I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM
encoded certificate file that contains the whole chain, 3 including
Root
CA. But I can not get it to work. I have followed documentation at
http://nginx.org/en/docs/http/configuring_https_servers.html#chains
and
http://www.startssl.com/?app=42, but no matter what I do it seems I
can not
get nginx to deliver more than one certificate. I have used both
http://portecle.sourceforge.net and https://www.ssllabs.com/ssltest/
to
verify. Other services (e.g. dovecot IMAP server) on the same host
using
same version of OpenSSL and same intermediate certificate and Root
CA works

On 2013-09-02 11:59, Daniel Lundqvist wrote:

I have, it just says only 1 certificate is provided. Here are the test
results:
https://www.ssllabs.com/ssltest/analyze.html?d=www.malarhojden.nu

I note that you’re using startcom for the certificate, I recall that the
intermediate certificate they say to use isn’t actually the one provided
and had to complete the certificate chain myself.

https://www.ssllabs.com/ssltest/analyze.html?d=www.stevewilson.co.uk

To build up my pem I started with the crt and key, then running “openssl
x509 -in cert.pem -noout -text” I was then able to download the correct
intermediate using the “CA Issuers - URI” provided in the certificate.
Appending this to the pem and retesting. Repeating the process for each
certificate until it became valid.

Authority Information Access:
OCSP -
URI:http://ocsp.startssl.com/sub/class1/server/ca
CA Issuers -
URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt

It might be worth checking if your intermediate matches the above
sub.class1.server.ca.crt one.

I have, it just says only 1 certificate is provided. Here are the test
results:
https://www.ssllabs.com/ssltest/analyze.html?d=www.malarhojden.nu


daniel

So mysteries solved. I believe.

A few things was wrong for me:

  1. I had a catch all virtual host using the same certificate file as
    main site (configured both with a “invalid” server name and
    default_server for both HTTP and HTTPS)

  2. It seems virtual server is also selected based on CN/SubjectAltName
    from certificate which I did not know (is this correct? Seem so from my
    testing)

So I changed the certificate on catch all virtual server to self signed
and now everything seems to be ok.

Sorry for taking up your time with my misconfigured server. At least I
learned something :slight_smile:


daniel