Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?

Igor Sysoev igor at sysoev.ru
Thu Nov 1 05:17:25 UTC 2012 

On Nov 1, 2012, at 3:47 , chiterri at operamail.com wrote:

> I'm running nginx/1.3.8 on linux/64.
> 
> I'm installing a commercial cert in nginx (Comodo Essential SSL).
> 
> When I build the SSL chain in order per instructions from Comodo (Root
> -> Intermediate(s)
> 
> 	https://comodosslstore.com/blog/how-do-i-make-my-own-bundle-file-from-crt-files.html
> 
> I do
> 
> 	cat AddTrustExternalCARoot.crt >  my.domain.com.CHAIN.crt
> 	cat UTNAddTrustSGCCA.crt       >> my.domain.com.CHAIN.crt
> 	cat ComodoUTNSGCCA.crt         >> my.domain.com.CHAIN.crt
> 	cat EssentialSSLCA_2.crt       >> my.domain.com.CHAIN.crt
> 	cat STAR_domain.com.crt        >> my.domain.com.CHAIN.crt
> 
> 
> If use this CHAIN'd cert in my nginx conf,
> 
> 	ssl                       on;
> 	ssl_verify_client         off;
> 	ssl_certificate           "/path/to/my.domain.com.CHAIN.crt";
> 	ssl_certificate_key       "/path/to/my.domain.com.key";
> 
> and start nginx, it fails,
> 
> 	==> error.log <==
> 	2012/10/31 16:36:44 [emerg] 8666#0:
> 	SSL_CTX_use_PrivateKey_file("/path/to/my.domain.com.key") failed
> 	(SSL: error:0B080074:x509 certificate
> 	routines:X509_check_private_key:key values mismatch)
> 
> If I simply switch the cert CHAIN build order, so the personal site crt
> is *first* to,
> 
> +       cat STAR_domain.com.crt        >  my.domain.com.CHAIN.crt
> -       cat AddTrustExternalCARoot.crt >  my.domain.com.CHAIN.crt
> +       cat AddTrustExternalCARoot.crt >> my.domain.com.CHAIN.crt
> 	cat UTNAddTrustSGCCA.crt       >> my.domain.com.CHAIN.crt
> 	cat ComodoUTNSGCCA.crt         >> my.domain.com.CHAIN.crt
> 	cat EssentialSSLCA_2.crt       >> my.domain.com.CHAIN.crt
> -       cat STAR_domain.com.crt        >> my.domain.com.CHAIN.crt
> 
> then start nginx, it starts correctly, with no error.  The site's
> accessible from most locations.
> 
> But a check with
> 
> 	https://www.ssllabs.com/ssltest/index.html
> 
> returns/reports
> 
> 	"Chain issues   Incorrect order"
> 
> I'd like to get nginx to accept/use the correct/instructed CHAIN order
> so that it starts-up correctly AND is reported 'correct order; by
> testing sites.
> 
> Is this is a config issue on my end -- either nginx or the cert build? 
> Or a bug?

http://nginx.org/en/docs/http/configuring_https_servers.html#chains

cat STAR_domain.com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > my.domain.com.CHAIN.crt


--
Igor Sysoev
http://nginx.com/support.html

More information about the nginx mailing list