Incorrect SSL cert chain build order used/required by nginx 1.3.8 ?
chiterri at operamail.com
chiterri at operamail.com
Wed Oct 31 23:47:26 UTC 2012
I'm running nginx/1.3.8 on linux/64.
I'm installing a commercial cert in nginx (Comodo Essential SSL).
When I build the SSL chain in order per instructions from Comodo (Root
-> Intermediate(s)
https://comodosslstore.com/blog/how-do-i-make-my-own-bundle-file-from-crt-files.html
I do
cat AddTrustExternalCARoot.crt > my.domain.com.CHAIN.crt
cat UTNAddTrustSGCCA.crt >> my.domain.com.CHAIN.crt
cat ComodoUTNSGCCA.crt >> my.domain.com.CHAIN.crt
cat EssentialSSLCA_2.crt >> my.domain.com.CHAIN.crt
cat STAR_domain.com.crt >> my.domain.com.CHAIN.crt
If use this CHAIN'd cert in my nginx conf,
ssl on;
ssl_verify_client off;
ssl_certificate "/path/to/my.domain.com.CHAIN.crt";
ssl_certificate_key "/path/to/my.domain.com.key";
and start nginx, it fails,
==> error.log <==
2012/10/31 16:36:44 [emerg] 8666#0:
SSL_CTX_use_PrivateKey_file("/path/to/my.domain.com.key") failed
(SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)
If I simply switch the cert CHAIN build order, so the personal site crt
is *first* to,
+ cat STAR_domain.com.crt > my.domain.com.CHAIN.crt
- cat AddTrustExternalCARoot.crt > my.domain.com.CHAIN.crt
+ cat AddTrustExternalCARoot.crt >> my.domain.com.CHAIN.crt
cat UTNAddTrustSGCCA.crt >> my.domain.com.CHAIN.crt
cat ComodoUTNSGCCA.crt >> my.domain.com.CHAIN.crt
cat EssentialSSLCA_2.crt >> my.domain.com.CHAIN.crt
- cat STAR_domain.com.crt >> my.domain.com.CHAIN.crt
then start nginx, it starts correctly, with no error. The site's
accessible from most locations.
But a check with
https://www.ssllabs.com/ssltest/index.html
returns/reports
"Chain issues Incorrect order"
I'd like to get nginx to accept/use the correct/instructed CHAIN order
so that it starts-up correctly AND is reported 'correct order; by
testing sites.
Is this is a config issue on my end -- either nginx or the cert build?
Or a bug?
More information about the nginx
mailing list