Verisign Intermediate CA issues
Gabriel Ramuglia
gabe at vtunnel.com
Sat Jan 24 21:04:55 MSK 2009
Thanks for the heads up :)
On Sat, Jan 24, 2009 at 7:04 AM, Igor Sysoev <is at rambler-co.ru> wrote:
> On Fri, Jan 23, 2009 at 01:36:33PM -0800, Gabriel Ramuglia wrote:
>
>> Here's what I have:
>>
>> ssl on;
>> ssl_certificate
>> /home/video/certs/video.freeproxies.org.crt;
>> ssl_certificate_key
>> /home/video/certs/video.freeproxies.org.key;
>>
>> ssl_session_timeout 5m;
>>
>> ssl_protocols SSLv2 SSLv3 TLSv1;
>> ssl_ciphers
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
>> ssl_prefer_server_ciphers on;
>>
>> I haven't noticed any particular issues, but haven't tested in safari.
>> Would be interested to know if you get the same issue with mine (seems
>> my config is slightly different).
>>
>> https://video.freeproxies.org/flvplayer.php is a good test url.
>
> The site sends video.freeproxies.org certificate only without GoDaddy
> intermidiate certificates. Firefox 3.1 on MacOSX run with fresh profile
> does not accept the site. Firefox with daily used profile usually accepts
> the site as the GoDaddy intermidiate certificate may be already in
> Firefox profile.
>
> You need to go on
> https://certs.godaddy.com/Repository.go
>
> and download GoDaddy intermidiate certificate chain:
> https://certs.godaddy.com/repository/gd_bundle.crt
>
> Then you need to
>
> cat video.freeproxies.org.crt gd_bundle.crt > video.freeproxies.org.bundle.crt
>
> and use the new bundle
>
> ssl_certificate /home/video/certs/video.freeproxies.org.bundle.crt;
>
>> On Fri, Jan 23, 2009 at 1:02 PM, James Ochs <james.ochs at greennote.com> wrote:
>> > Hi all,
>> >
>> > We have a verisign ssl cert and I've configured nginx with the .crt file
>> > containing our cert and the verisign intermediate cert (in that order in the
>> > file)
>> >
>> > In MacOs safari, both on the desktop and the iphone, I am getting
>> > certificate errors (can't verify the identity). Firefox on the same
>> > platform says the certificate is ok, and IE in most cases says it is ok. I
>> > have had a couple of reports of IE7 complaining about the validity of the
>> > certificate, but that has been sporadic. I've also checked it with curl (on
>> > linux and macos) and it complains as follows:
>> >
>> > curl https://www.greennote.com
>> > curl: (60) Peer certificate cannot be authenticated with known CA
>> > certificates
>> >
>> > Does anyone have any ideas of why this would happen?
>> >
>> > My nginx.conf has this for ssl:
>> >
>> > ssl on;
>> > ssl_certificate /etc/nginx/www.crt;
>> > ssl_certificate_key /etc/nginx/prod.key;
>> >
>> > ssl_session_timeout 10m;
>> > ssl_session_cache shared:SSL:10m;
>> >
>> > ssl_protocols SSLv3 TLSv1;
>> > ssl_ciphers
>> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:+EXP;
>> > ssl_prefer_server_ciphers on;
>> >
>> > This problem was not happening on our hardware load balancers with the same
>> > certificate, so I'm at a loss as to what to try next.
>> >
>> > thanks,
>> > james
>> >
>> > --
>> > James Ochs
>> > Network Operations Manager
>> > james.ochs at greennote.com
>> > KeyID: 0x6E7BBE9D
>> >
>> >
>> >
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
>
More information about the nginx
mailing list