I have an nginx server as a frontend to apache. Nginx runs ssl with
certificate that was bought and is valid. New versions of browsers(like
opera 10) have no problems, but old(like 9.5 and some client-banking
systems) show a message regarding certificate. What can I do to prevent
this?
Posted at Nginx Forum:
On Tue, Oct 06, 2009 at 03:14:28AM -0400, eternity wrote:
I have an nginx server as a frontend to apache. Nginx runs ssl with certificate that was bought and is valid. New versions of browsers(like opera 10) have no problems, but old(like 9.5 and some client-banking systems) show a message regarding certificate. What can I do to prevent this?
What authority has signed the certificate ? You might not add the
authority’s
certificate chain in the certificate and this may cause the issue with
old
browsers.
On Tue, Oct 06, 2009 at 04:23:38AM -0400, eternity wrote:
It’s from support.comodo.com
I have .crt file with two certificates
Have you downloaded Comodo’s intermediate certificates at
and have concatinated them using
cat you.crt comodo.crt > new.crt
?
On Tue, Oct 06, 2009 at 04:58:09AM -0400, eternity wrote:
I’m sorry, but can you explain plz what should I do after downloading intermediate certificate?Because I Have a task to make old browsers work without errors, but I don’t know about chained certeficate, I have only ROOT ca certificate, and chained was downloaded and installed before me
What do you mean by ROOT ca certificate ?
I mean cert file AddTrustExternalCARoot.crt from comodo
Posted at Nginx Forum:
I’m sorry, but can you explain plz what should I do after downloading
intermediate certificate?Because I Have a task to make old browsers work
without errors, but I don’t know about chained certeficate, I have only
ROOT ca certificate, and chained was downloaded and installed before me
Posted at Nginx Forum:
and your_cert.crt - Is a self-signed certificate?
Posted at Nginx Forum:
On Tue, Oct 06, 2009 at 05:06:11AM -0400, eternity wrote:
I mean cert file AddTrustExternalCARoot.crt from comodo
Then you need to do
cat AddTrustExternalCARoot.crt you_cert.crt > new_cert.crt;
and use this new_cert.crt in
ssl_certificate new_cert.crt;
Sorry, I was confused a bit
a have already intermidiate certificate, which was(I suppose) issued by
comodo.
I do
openssl s_client -connect www.host.com:443
And it returns errors
Verify return code: 21 (unable to verify the first certificate)
Posted at Nginx Forum:
On Tue, Oct 06, 2009 at 07:54:20AM -0400, eternity wrote:
Sorry, I was confused a bit
a have already intermidiate certificate, which was(I suppose) issued by comodo.
I doopenssl s_client -connect www.host.com:443
And it returns errors
Verify return code: 21 (unable to verify the first certificate)
This is normal, because you need to supply root CAs for openssl client.
On Tue, Oct 06, 2009 at 05:20:43AM -0400, eternity wrote:
and your_cert.crt - Is a self-signed certificate?
No, this is not self-signed certificate.
This is certificate that Comodo had signed for you.
Hmm, the latest firefox also ask for security risk
google chrome and opera doesn’t
how to make for all browsers be silent?
Posted at Nginx Forum:
So, i made a bit progress
I took chrome which doesn’t ask for risk, and exported chain
So, now, old version asks only once to add root CA and then it becomes
silent
Now the question - how to add one more element in chain so old browsers
won’t even ask for adding CA
site: https://svpage.ru
Posted at Nginx Forum:
On Tue, Oct 06, 2009 at 08:40:49AM -0400, eternity wrote:
Hmm, the latest firefox also ask for security risk
google chrome and opera doesn’t
how to make for all browsers be silent?
Could you tell the site address ?
On Tue, Oct 06, 2009 at 09:18:53AM -0400, eternity wrote:
So, i made a bit progress
I took chrome which doesn’t ask for risk, and exported chain
So, now, old version asks only once to add root CA and then it becomes silent
Now the question - how to add one more element in chain so old browsers won’t even ask for adding CA
site: https://svpage.ru
Certificate chain
0
s:/C=RU/postalCode=198411/ST=Some-State/L=Saint-Petersburg/streetAddress=Sankt-Peterburg,
g. Lomonosov Svyazi, d. 1/O=CJS SV-Groupe/OU=CJS SV-Groupe/OU=Provided
by Hosting-Center RBC/OU=RBC HC Gold SSL/CN=www.svpage.ru
i:/C=RU/O=RBC Hosting Center/CN=RBC HC High Assurance Services CA
1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
First, the ceritficate is for www.svpage.ru.
Second, the ceritficate is signed by RBC, however, RBC’s ceritficate is
not signed: you have a broken chain:
www.svpage.ru --- RBC -||- USERTRUST
On Tue, Oct 06, 2009 at 10:19:50AM -0400, eternity wrote:
But, this chain was automatically detected by chrome. Why chrome thinks that it is not broken?
A browser might get the signed RBC certificate from another site.
In this case the browser stores the certificate and trusts it in another
sessions. I’m not able to see certificates in Chrome, but in Firefox
such certificate is marked as “Software Security Device” as opposite to
“Builtin Object Token”.
But, this chain was automatically detected by chrome. Why chrome thinks
that it is not broken?
Posted at Nginx Forum:
On Wed, Oct 07, 2009 at 02:18:13AM -0400, eternity wrote:
So, what is your advice, how to I make a good chain so no one would ask?I mean using this RBC cert?
anyway, big thanks for helping)
According to SSL-СЕРТИФИКАТЫ you should have
UTNAddTrustServerCA.crt
RBCHCHighAssuranceServices.crt
and something lke www.svpage.ru.crt
Then you need to run
cat www.svpage.ru.crt RBCHCHighAssuranceServices.crt
UTNAddTrustServerCA.crt > chain.crt
and use this chain.crt in ssl_certificate directive.
So, what is your advice, how to I make a good chain so no one would
ask?I mean using this RBC cert?
anyway, big thanks for helping)
Posted at Nginx Forum:
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs