SSL certificate chain
daniel at malarhojden.nu
Mon Sep 2 13:08:16 UTC 2013
So … mysteries solved. I believe.
A few things was wrong for me:
1) I had a catch all virtual host using the same certificate file as main site (configured both with a "invalid" server name and default_server for both HTTP and HTTPS)
2) It seems virtual server is also selected based on CN/SubjectAltName from certificate which I did not know (is this correct? Seem so from my testing)
So I changed the certificate on catch all virtual server to self signed and now everything seems to be ok.
Sorry for taking up your time with my misconfigured server. At least I learned something :)
On 2 sep 2013, at 19:12, Steve Wilson <lists-nginx at swsystem.co.uk> wrote:
> On 2013-09-02 11:59, Daniel Lundqvist wrote:
>> I have, it just says only 1 certificate is provided. Here are the test
> I note that you're using startcom for the certificate, I recall that the intermediate certificate they say to use isn't actually the one provided and had to complete the certificate chain myself.
> To build up my pem I started with the crt and key, then running "openssl x509 -in cert.pem -noout -text" I was then able to download the correct intermediate using the "CA Issuers - URI" provided in the certificate. Appending this to the pem and retesting. Repeating the process for each certificate until it became valid.
> Authority Information Access:
> OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
> CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt
> It might be worth checking if your intermediate matches the above sub.class1.server.ca.crt one.
> nginx mailing list
> nginx at nginx.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4145 bytes
Desc: not available
More information about the nginx