Forum: NGINX Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?

41865384e515f074466e8c02e5d4cbbd?d=identicon&s=25 unknown (Guest)
on 2012-11-01 00:47
(Received via mailing list)
I'm running nginx/1.3.8 on linux/64.

I'm installing a commercial cert in nginx (Comodo Essential SSL).

When I build the SSL chain in order per instructions from Comodo (Root
-> Intermediate(s)

  https://comodosslstore.com/blog/how-do-i-make-my-o...

I do

  cat AddTrustExternalCARoot.crt >  my.domain.com.CHAIN.crt
  cat UTNAddTrustSGCCA.crt       >> my.domain.com.CHAIN.crt
  cat ComodoUTNSGCCA.crt         >> my.domain.com.CHAIN.crt
  cat EssentialSSLCA_2.crt       >> my.domain.com.CHAIN.crt
  cat STAR_domain.com.crt        >> my.domain.com.CHAIN.crt


If use this CHAIN'd cert in my nginx conf,

  ssl                       on;
  ssl_verify_client         off;
  ssl_certificate           "/path/to/my.domain.com.CHAIN.crt";
  ssl_certificate_key       "/path/to/my.domain.com.key";

and start nginx, it fails,

  ==> error.log <==
  2012/10/31 16:36:44 [emerg] 8666#0:
  SSL_CTX_use_PrivateKey_file("/path/to/my.domain.com.key") failed
  (SSL: error:0B080074:x509 certificate
  routines:X509_check_private_key:key values mismatch)

If I simply switch the cert CHAIN build order, so the personal site crt
is *first* to,

+       cat STAR_domain.com.crt        >  my.domain.com.CHAIN.crt
-       cat AddTrustExternalCARoot.crt >  my.domain.com.CHAIN.crt
+       cat AddTrustExternalCARoot.crt >> my.domain.com.CHAIN.crt
  cat UTNAddTrustSGCCA.crt       >> my.domain.com.CHAIN.crt
  cat ComodoUTNSGCCA.crt         >> my.domain.com.CHAIN.crt
  cat EssentialSSLCA_2.crt       >> my.domain.com.CHAIN.crt
-       cat STAR_domain.com.crt        >> my.domain.com.CHAIN.crt

then start nginx, it starts correctly, with no error.  The site's
accessible from most locations.

But a check with

  https://www.ssllabs.com/ssltest/index.html

returns/reports

  "Chain issues   Incorrect order"

I'd like to get nginx to accept/use the correct/instructed CHAIN order
so that it starts-up correctly AND is reported 'correct order; by
testing sites.

Is this is a config issue on my end -- either nginx or the cert build?
Or a bug?
0f7a1240e82f744c6c607fa7081b99f7?d=identicon&s=25 Igor Sysoev (Guest)
on 2012-11-01 06:18
(Received via mailing list)
On Nov 1, 2012, at 3:47 , chiterri@operamail.com wrote:

>
>   ssl_verify_client         off;
>
>
>
> I'd like to get nginx to accept/use the correct/instructed CHAIN order
> so that it starts-up correctly AND is reported 'correct order; by
> testing sites.
>
> Is this is a config issue on my end -- either nginx or the cert build?
> Or a bug?

http://nginx.org/en/docs/http/configuring_https_se...

cat STAR_domain.com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt
UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt >
my.domain.com.CHAIN.crt


--
Igor Sysoev
http://nginx.com/support.html
28802c1455ba9b8b14838c2934410448?d=identicon&s=25 Axel (Guest)
on 2012-11-01 08:30
(Received via mailing list)
Hi,

I use portecle ( http://portecle.sourceforge.net/ ) to examine ssl
certificates.

Rgds, Axel


Am 01.11.2012 00:47, schrieb chiterri@operamail.com:
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.