I’m running nginx/1.3.8 on linux/64.
I’m installing a commercial cert in nginx (Comodo Essential SSL).
When I build the SSL chain in order per instructions from Comodo (Root
→ Intermediate(s)
How do I make my own bundle file from CRT files?
I do
cat AddTrustExternalCARoot.crt > my.domain.com.CHAIN.crt
cat UTNAddTrustSGCCA.crt >> my.domain.com.CHAIN.crt
cat ComodoUTNSGCCA.crt >> my.domain.com.CHAIN.crt
cat EssentialSSLCA_2.crt >> my.domain.com.CHAIN.crt
cat STAR_domain.com.crt >> my.domain.com.CHAIN.crt
If use this CHAIN’d cert in my nginx conf,
ssl on;
ssl_verify_client off;
ssl_certificate “/path/to/my.domain.com.CHAIN.crt”;
ssl_certificate_key “/path/to/my.domain.com.key”;
and start nginx, it fails,
==> error.log <==
2012/10/31 16:36:44 [emerg] 8666#0:
SSL_CTX_use_PrivateKey_file(“/path/to/my.domain.com.key”) failed
(SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)
If I simply switch the cert CHAIN build order, so the personal site crt
is first to,
-
cat STAR_domain.com.crt > my.domain.com.CHAIN.crt
-
cat AddTrustExternalCARoot.crt > my.domain.com.CHAIN.crt
-
cat UTNAddTrustSGCCA.crt >> my.domain.com.CHAIN.crtcat AddTrustExternalCARoot.crt >> my.domain.com.CHAIN.crt
cat ComodoUTNSGCCA.crt >> my.domain.com.CHAIN.crt
cat EssentialSSLCA_2.crt >> my.domain.com.CHAIN.crt
-
cat STAR_domain.com.crt >> my.domain.com.CHAIN.crt
then start nginx, it starts correctly, with no error. The site’s
accessible from most locations.
But a check with
SSL Server Test (Powered by Qualys SSL Labs)
returns/reports
“Chain issues Incorrect order”
I’d like to get nginx to accept/use the correct/instructed CHAIN order
so that it starts-up correctly AND is reported 'correct order; by
testing sites.
Is this is a config issue on my end – either nginx or the cert build?
Or a bug?