I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM
encoded certificate file that contains the whole chain, 3 including Root
CA. But I can not get it to work. I have followed documentation at http://nginx.org/en/docs/http/configuring_https_servers.html#chains and http://www.startssl.com/?app=42, but no matter what I do it seems I can
not get nginx to deliver more than one certificate. I have used both http://portecle.sourceforge.net and https://www.ssllabs.com/ssltest/ to
verify. Other services (e.g. dovecot IMAP server) on the same host using
same version of OpenSSL and same intermediate certificate and Root CA
works works fine. How can I troubleshoot what is going wrong with nginx?
They are. I get no errors from nginx whatsoever, just that no
certificate after the first is never sent. If I change order I get error
about key not matching, which is to be expected.
you just need to copy both certificates in one file with ‘cat’ or sth.
similar. I use portecle to examine the chained file. Make sure that it’s
the right ca cert.
Regards, Axel
Am Sonntag, 1. September 2013, 19:11:04 schrieb Daniel Lundqvist:
Hi,
I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM
encoded certificate file that contains the whole chain, 3 including
Root
CA. But I can not get it to work. I have followed documentation at http://nginx.org/en/docs/http/configuring_https_servers.html#chains
and http://www.startssl.com/?app=42, but no matter what I do it seems I
can not
get nginx to deliver more than one certificate. I have used both http://portecle.sourceforge.net and https://www.ssllabs.com/ssltest/
to
verify. Other services (e.g. dovecot IMAP server) on the same host
using
same version of OpenSSL and same intermediate certificate and Root
CA works
I note that you’re using startcom for the certificate, I recall that the
intermediate certificate they say to use isn’t actually the one provided
and had to complete the certificate chain myself.
To build up my pem I started with the crt and key, then running “openssl
x509 -in cert.pem -noout -text” I was then able to download the correct
intermediate using the “CA Issuers - URI” provided in the certificate.
Appending this to the pem and retesting. Repeating the process for each
certificate until it became valid.
I had a catch all virtual host using the same certificate file as
main site (configured both with a “invalid” server name and
default_server for both HTTP and HTTPS)
It seems virtual server is also selected based on CN/SubjectAltName
from certificate which I did not know (is this correct? Seem so from my
testing)
So I changed the certificate on catch all virtual server to self signed
and now everything seems to be ok.
Sorry for taking up your time with my misconfigured server. At least I
learned something
–
daniel
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.