Welcome! Log In Create A New Profile

Re: Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?

Forum List Message List New Topic Print View

Igor Sysoev

November 01, 2012 01:18AM

Admin
Registered: 15 years ago
Posts: 4,579

On Nov 1, 2012, at 3:47 , chiterri@operamail.com wrote:

> I'm running nginx/1.3.8 on linux/64.
>
> I'm installing a commercial cert in nginx (Comodo Essential SSL).
>
> When I build the SSL chain in order per instructions from Comodo (Root
> -> Intermediate(s)
>
> https://comodosslstore.com/blog/how-do-i-make-my-own-bundle-file-from-crt-files.html
>
> I do
>
> cat AddTrustExternalCARoot.crt > my.domain.com.CHAIN.crt
> cat UTNAddTrustSGCCA.crt >> my.domain.com.CHAIN.crt
> cat ComodoUTNSGCCA.crt >> my.domain.com.CHAIN.crt
> cat EssentialSSLCA_2.crt >> my.domain.com.CHAIN.crt
> cat STAR_domain.com.crt >> my.domain.com.CHAIN.crt
>
>
> If use this CHAIN'd cert in my nginx conf,
>
> ssl on;
> ssl_verify_client off;
> ssl_certificate "/path/to/my.domain.com.CHAIN.crt";
> ssl_certificate_key "/path/to/my.domain.com.key";
>
> and start nginx, it fails,
>
> ==> error.log <==
> 2012/10/31 16:36:44 [emerg] 8666#0:
> SSL_CTX_use_PrivateKey_file("/path/to/my.domain.com.key") failed
> (SSL: error:0B080074:x509 certificate
> routines:X509_check_private_key:key values mismatch)
>
> If I simply switch the cert CHAIN build order, so the personal site crt
> is *first* to,
>
> + cat STAR_domain.com.crt > my.domain.com.CHAIN.crt
> - cat AddTrustExternalCARoot.crt > my.domain.com.CHAIN.crt
> + cat AddTrustExternalCARoot.crt >> my.domain.com.CHAIN.crt
> cat UTNAddTrustSGCCA.crt >> my.domain.com.CHAIN.crt
> cat ComodoUTNSGCCA.crt >> my.domain.com.CHAIN.crt
> cat EssentialSSLCA_2.crt >> my.domain.com.CHAIN.crt
> - cat STAR_domain.com.crt >> my.domain.com.CHAIN.crt
>
> then start nginx, it starts correctly, with no error. The site's
> accessible from most locations.
>
> But a check with
>
> https://www.ssllabs.com/ssltest/index.html
>
> returns/reports
>
> "Chain issues Incorrect order"
>
> I'd like to get nginx to accept/use the correct/instructed CHAIN order
> so that it starts-up correctly AND is reported 'correct order; by
> testing sites.
>
> Is this is a config issue on my end -- either nginx or the cert build?
> Or a bug?

http://nginx.org/en/docs/http/configuring_https_servers.html#chains

cat STAR_domain.com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > my.domain.com.CHAIN.crt

--
Igor Sysoev
http://nginx.com/support.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?	Anonymous User	October 31, 2012 07:48PM
Re: Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?	Igor Sysoev	November 01, 2012 01:18AM
Re: Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?	Axel	November 01, 2012 03:32AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 197

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018