Ssl for nginx, old browsers

I have an nginx server as a frontend to apache. Nginx runs ssl with
certificate that was bought and is valid. New versions of browsers(like
opera 10) have no problems, but old(like 9.5 and some client-banking
systems) show a message regarding certificate. What can I do to prevent
this?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11441#msg-11441

On Tue, Oct 06, 2009 at 03:14:28AM -0400, eternity wrote:

I have an nginx server as a frontend to apache. Nginx runs ssl with certificate that was bought and is valid. New versions of browsers(like opera 10) have no problems, but old(like 9.5 and some client-banking systems) show a message regarding certificate. What can I do to prevent this?

What authority has signed the certificate ? You might not add the
authority’s
certificate chain in the certificate and this may cause the issue with
old
browsers.

It’s from support.comodo.com

I have .crt file with two certificates

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11450#msg-11450

On Tue, Oct 06, 2009 at 04:23:38AM -0400, eternity wrote:

It’s from support.comodo.com

I have .crt file with two certificates

Have you downloaded Comodo’s intermediate certificates at

https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0

and have concatinated them using

cat you.crt comodo.crt > new.crt

?

On Tue, Oct 06, 2009 at 04:58:09AM -0400, eternity wrote:

I’m sorry, but can you explain plz what should I do after downloading intermediate certificate?Because I Have a task to make old browsers work without errors, but I don’t know about chained certeficate, I have only ROOT ca certificate, and chained was downloaded and installed before me

What do you mean by ROOT ca certificate ?

I mean cert file AddTrustExternalCARoot.crt from comodo

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11456#msg-11456

I’m sorry, but can you explain plz what should I do after downloading
intermediate certificate?Because I Have a task to make old browsers work
without errors, but I don’t know about chained certeficate, I have only
ROOT ca certificate, and chained was downloaded and installed before me

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11452#msg-11452

and your_cert.crt - Is a self-signed certificate?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11458#msg-11458

On Tue, Oct 06, 2009 at 05:06:11AM -0400, eternity wrote:

I mean cert file AddTrustExternalCARoot.crt from comodo

Then you need to do

cat AddTrustExternalCARoot.crt you_cert.crt > new_cert.crt;

and use this new_cert.crt in

ssl_certificate new_cert.crt;

Sorry, I was confused a bit
a have already intermidiate certificate, which was(I suppose) issued by
comodo.
I do

openssl s_client -connect www.host.com:443

And it returns errors

Verify return code: 21 (unable to verify the first certificate)

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11473#msg-11473

On Tue, Oct 06, 2009 at 07:54:20AM -0400, eternity wrote:

Sorry, I was confused a bit
a have already intermidiate certificate, which was(I suppose) issued by comodo.
I do

openssl s_client -connect www.host.com:443

And it returns errors

Verify return code: 21 (unable to verify the first certificate)

This is normal, because you need to supply root CAs for openssl client.

On Tue, Oct 06, 2009 at 05:20:43AM -0400, eternity wrote:

and your_cert.crt - Is a self-signed certificate?

No, this is not self-signed certificate.
This is certificate that Comodo had signed for you.

Hmm, the latest firefox also ask for security risk
google chrome and opera doesn’t
how to make for all browsers be silent?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11485#msg-11485

So, i made a bit progress
I took chrome which doesn’t ask for risk, and exported chain
So, now, old version asks only once to add root CA and then it becomes
silent
Now the question - how to add one more element in chain so old browsers
won’t even ask for adding CA
site: https://svpage.ru

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11497#msg-11497

On Tue, Oct 06, 2009 at 08:40:49AM -0400, eternity wrote:

Hmm, the latest firefox also ask for security risk
google chrome and opera doesn’t
how to make for all browsers be silent?

Could you tell the site address ?

On Tue, Oct 06, 2009 at 09:18:53AM -0400, eternity wrote:

So, i made a bit progress
I took chrome which doesn’t ask for risk, and exported chain
So, now, old version asks only once to add root CA and then it becomes silent
Now the question - how to add one more element in chain so old browsers won’t even ask for adding CA
site: https://svpage.ru

openssl s_client -connect svpage.ru:443

Certificate chain
0
s:/C=RU/postalCode=198411/ST=Some-State/L=Saint-Petersburg/streetAddress=Sankt-Peterburg,
g. Lomonosov Svyazi, d. 1/O=CJS SV-Groupe/OU=CJS SV-Groupe/OU=Provided
by Hosting-Center RBC/OU=RBC HC Gold SSL/CN=www.svpage.ru
i:/C=RU/O=RBC Hosting Center/CN=RBC HC High Assurance Services CA
1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware

First, the ceritficate is for www.svpage.ru.
Second, the ceritficate is signed by RBC, however, RBC’s ceritficate is
not signed: you have a broken chain:

www.svpage.ru --- RBC -||- USERTRUST

On Tue, Oct 06, 2009 at 10:19:50AM -0400, eternity wrote:

But, this chain was automatically detected by chrome. Why chrome thinks that it is not broken?

A browser might get the signed RBC certificate from another site.
In this case the browser stores the certificate and trusts it in another
sessions. I’m not able to see certificates in Chrome, but in Firefox
such certificate is marked as “Software Security Device” as opposite to
“Builtin Object Token”.

But, this chain was automatically detected by chrome. Why chrome thinks
that it is not broken?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11520#msg-11520

On Wed, Oct 07, 2009 at 02:18:13AM -0400, eternity wrote:

So, what is your advice, how to I make a good chain so no one would ask?I mean using this RBC cert?
anyway, big thanks for helping)

According to http://ssl.ru/ru/support/ you should have

UTNAddTrustServerCA.crt
RBCHCHighAssuranceServices.crt
and something lke www.svpage.ru.crt

Then you need to run

cat www.svpage.ru.crt RBCHCHighAssuranceServices.crt
UTNAddTrustServerCA.crt > chain.crt

and use this chain.crt in ssl_certificate directive.

So, what is your advice, how to I make a good chain so no one would
ask?I mean using this RBC cert?
anyway, big thanks for helping)

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,11441,11741#msg-11741

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs