ssl_trusted_certificate usage with parallel ECDSA / RSA certificates ?
lists at ssl-mail.com
lists at ssl-mail.com
Thu Aug 11 13:03:58 UTC 2016
I've created 2 LetsEncrypt SSL certs -- an EC & and RSA.
Following
Support for parallel ECDSA / RSA certificates
https://trac.nginx.org/nginx/ticket/814
I config
ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.ec.pem";
ssl_certificate_key "/etc/ssl/keys/privkey_ec.pem";
ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.rsa.pem";
ssl_certificate_key "/etc/ssl/keys/privkey_rsa.pem";
Although the trusted cert's not mentioned in ticket/814, the 'chain.pem' is what's used in nginx
ssl_trusted_certificate "/etc/letsencrypt/live/example.com/chain.ec.pem";
ssl_trusted_certificate "/etc/letsencrypt/live/example.com/chain.rsa.pem";
But this config fails nginx config check
nginx: [emerg] "ssl_trusted_certificate" directive is duplicate in /etc/nginx/sites-enabled/example.com.conf:50
nginx: configuration file /etc/nginx/nginx.conf test failed
Commenting out one of the 2 ssl_trusted_cert stanzas
ssl_trusted_certificate "/etc/letsencrypt/live/example.com/chain.ec.pem";
# ssl_trusted_certificate "/etc/letsencrypt/live/example.com/chain.rsa.pem";
and rerunning the check, it passes.
In 'parallel' SSL mode, what's the correct usage for 'ssl_trusted_certificate'?
Do I use one (ec), the other (rsa), or do you have to concatenate BOTH into one crt?
More information about the nginx
mailing list