Hi all,
We have a verisign ssl cert and I’ve configured nginx with the .crt
file containing our cert and the verisign intermediate cert (in that
order in the file)
In MacOs safari, both on the desktop and the iphone, I am getting
certificate errors (can’t verify the identity). Firefox on the same
platform says the certificate is ok, and IE in most cases says it is
ok. I have had a couple of reports of IE7 complaining about the
validity of the certificate, but that has been sporadic. I’ve also
checked it with curl (on linux and macos) and it complains as follows:
curl https://www.greennote.com
curl: (60) Peer certificate cannot be authenticated with known CA
certificates
Does anyone have any ideas of why this would happen?
My nginx.conf has this for ssl:
ssl on;
ssl_certificate /etc/nginx/www.crt;
ssl_certificate_key /etc/nginx/prod.key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!
LOW:!SSLv2:+EXP;
ssl_prefer_server_ciphers on;
This problem was not happening on our hardware load balancers with the
same certificate, so I’m at a loss as to what to try next.
thanks,
james
Here’s what I have:
ssl on;
ssl_certificate
/home/video/certs/video.freeproxies.org.crt;
ssl_certificate_key
/home/video/certs/video.freeproxies.org.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
I haven’t noticed any particular issues, but haven’t tested in safari.
Would be interested to know if you get the same issue with mine (seems
my config is slightly different).
https://video.freeproxies.org/flvplayer.php is a good test url.
yep, I get the same error in safari on mac os and on the iphone with
the link you gave below. firefox is happy.
If I add the intermediate certs to my keychain it stops complaining,
but thats not really a good solution for endusers.
Thanks,
james
On Fri, Jan 23, 2009 at 01:36:33PM -0800, Gabriel R. wrote:
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
I haven’t noticed any particular issues, but haven’t tested in safari.
Would be interested to know if you get the same issue with mine (seems
my config is slightly different).
https://video.freeproxies.org/flvplayer.php is a good test url.
The site sends video.freeproxies.org certificate only without GoDaddy
intermidiate certificates. Firefox 3.1 on MacOSX run with fresh profile
does not accept the site. Firefox with daily used profile usually
accepts
the site as the GoDaddy intermidiate certificate may be already in
Firefox profile.
You need to go on
https://certs.godaddy.com/Repository.go
and download GoDaddy intermidiate certificate chain:
https://certs.godaddy.com/repository/gd_bundle.crt
Then you need to
cat video.freeproxies.org.crt gd_bundle.crt >
video.freeproxies.org.bundle.crt
and use the new bundle
ssl_certificate
/home/video/certs/video.freeproxies.org.bundle.crt;
On Fri, Jan 23, 2009 at 01:02:45PM -0800, James Ochs wrote:
Hi all,
We have a verisign ssl cert and I’ve configured nginx with the .crt
file containing our cert and the verisign intermediate cert (in that
order in the file)
It seems that you get wrong Verisign intermediate cert:
0 s:/C=US/ST=California/L=Redwood City/O=GreenNote, Inc/OU=IT/OU=Terms
of use at www.verisign.com/rpa (c)05/CN=www.greennote.com
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=Verisign is a global provider of domain name registry services and internet infrastructure - Verisign Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
www.greennote.com is issued by
/O=VeriSign Trust Network/OU=VeriSign, Inc.
/OU=VeriSign International Server CA - Class 3
/OU=Verisign is a global provider of domain name registry services and internet infrastructure - Verisign Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
but the second certificate is
/C=US
/O=VeriSign, Inc.
/OU=VeriSign Trust Network
/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign
Class 3 Secure Server CA