Welcome! Log In Create A New Profile

Advanced

Re: SSL certificate chain

All files from this thread

File Name File Size   Posted by Date  
smime.p7s 4 KB open | download Daniel Lundqvist 09/01/2013 Read message
smime.p7s 4 KB open | download Daniel Lundqvist 09/01/2013 Read message
smime.p7s 4 KB open | download Daniel Lundqvist 09/02/2013 Read message
smime.p7s 4 KB open | download Daniel Lundqvist 09/02/2013 Read message
Previous Message Next Message
Forum List Message List New Topic Print View
Daniel Lundqvist
September 02, 2013 09:10AM
So … mysteries solved. I believe.

A few things was wrong for me:

1) I had a catch all virtual host using the same certificate file as main site (configured both with a "invalid" server name and default_server for both HTTP and HTTPS)

2) It seems virtual server is also selected based on CN/SubjectAltName from certificate which I did not know (is this correct? Seem so from my testing)

So I changed the certificate on catch all virtual server to self signed and now everything seems to be ok.

Sorry for taking up your time with my misconfigured server. At least I learned something :)

--
daniel

On 2 sep 2013, at 19:12, Steve Wilson <lists-nginx@swsystem.co.uk> wrote:

> On 2013-09-02 11:59, Daniel Lundqvist wrote:
>> I have, it just says only 1 certificate is provided. Here are the test
>> results:
>> https://www.ssllabs.com/ssltest/analyze.html?d=www.malarhojden.nu
> ...
>
> I note that you're using startcom for the certificate, I recall that the intermediate certificate they say to use isn't actually the one provided and had to complete the certificate chain myself.
>
> https://www.ssllabs.com/ssltest/analyze.html?d=www.stevewilson.co.uk
>
> To build up my pem I started with the crt and key, then running "openssl x509 -in cert.pem -noout -text" I was then able to download the correct intermediate using the "CA Issuers - URI" provided in the certificate. Appending this to the pem and retesting. Repeating the process for each certificate until it became valid.
>
> Authority Information Access:
> OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
> CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt
>
> It might be worth checking if your intermediate matches the above sub.class1.server.ca.crt one.
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
Attachments:
open | download - smime.p7s (4 KB)
RSS
Subject Author Posted

SSL certificate chain Attachments

Daniel Lundqvist September 01, 2013 07:12AM

Re: SSL certificate chain

GreenGecko September 01, 2013 07:28AM

Re: SSL certificate chain Attachments

Daniel Lundqvist September 01, 2013 08:56AM

Re: SSL certificate chain

Sylvia September 01, 2013 09:43AM

Re: SSL certificate chain

Axel September 01, 2013 12:38PM

Re: SSL certificate chain Attachments

Daniel Lundqvist September 02, 2013 07:02AM

Re: SSL certificate chain

Steve Wilson September 02, 2013 07:14AM

Re: SSL certificate chain Attachments

Daniel Lundqvist September 02, 2013 09:10AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 199
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready