SSL certificate chain

Daniel Lundqvist daniel at
Mon Sep 2 13:08:16 UTC 2013

So … mysteries solved. I believe.

A few things was wrong for me:

1) I had a catch all virtual host using the same certificate file as main site (configured both with a "invalid" server name and default_server for both HTTP and HTTPS)

2) It seems virtual server is also selected based on CN/SubjectAltName from certificate which I did not know (is this correct? Seem so from my testing)

So I changed the certificate on catch all virtual server to self signed and now everything seems to be ok.

Sorry for taking up your time with my misconfigured server. At least I learned something :)


On 2 sep 2013, at 19:12, Steve Wilson <lists-nginx at> wrote:

> On 2013-09-02 11:59, Daniel Lundqvist wrote:
>> I have, it just says only 1 certificate is provided. Here are the test
>> results:
> ...
> I note that you're using startcom for the certificate, I recall that the intermediate certificate they say to use isn't actually the one provided and had to complete the certificate chain myself.
> To build up my pem I started with the crt and key, then running "openssl x509 -in cert.pem -noout -text" I was then able to download the correct intermediate using the "CA Issuers - URI" provided in the certificate. Appending this to the pem and retesting. Repeating the process for each certificate until it became valid.
> Authority Information Access:
>                OCSP - URI:
>                CA Issuers - URI:
> It might be worth checking if your intermediate matches the above one.
> _______________________________________________
> nginx mailing list
> nginx at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4145 bytes
Desc: not available
URL: <>

More information about the nginx mailing list