<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 14, 2022 at 9:33 PM Lukas Tribus <<a href="mailto:lukas@ltri.eu">lukas@ltri.eu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, 14 Nov 2022 at 21:33, James Read <<a href="mailto:jamesread5737@gmail.com" target="_blank">jamesread5737@gmail.com</a>> wrote:<br>
>> For nginx you need the base64 encoding, which is:<br>
>><br>
>> <a href="https://ssl-ccp.secureserver.net/repository/sfig2.crt.pem" rel="noreferrer" target="_blank">https://ssl-ccp.secureserver.net/repository/sfig2.crt.pem</a><br>
>><br>
><br>
> I tried adding that certificate but sudo nginx -t now returns the following error:<br>
><br>
> nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/ssl/private/wottot.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)<br>
> nginx: configuration file /etc/nginx/nginx.conf test failed<br>
<br>
The intermediate certificate does not replace your own certificate. It<br>
replaces the unrelated root certificates.<br>
<br>
<a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate</a><br>
<br>
> the primary certificate comes first, then the intermediate certificates<br>
<br>
So the file needs to contain first your certificate and then the<br>
intermediate one.<br></blockquote><div><br></div><div>OK. Thanks. I rearranged the file and deleted some certificates. Now sslabs is reporting no chain issues for <span style="background-color:rgb(247,247,247);color:rgb(136,136,136);font-size:23px;font-weight:700">Certificate #1: RSA 2048 bits (SHA256withRSA)</span> but for <span style="background-color:rgb(247,247,247);color:rgb(136,136,136);font-size:23px;font-weight:700">Certificate #2: RSA 2048 bits (SHA256withRSA)</span> it is reporting </div><table class="gmail-reportTable" style="border-collapse:collapse;width:850px;margin:0px 10px 0px 0px;padding:0px;font-size:12px;line-height:20px;background-color:rgb(253,253,253)"><tbody><tr class="gmail-tableRow"><td class="gmail-tableLabel" style="padding:3px 10px 3px 0px;color:rgb(68,68,68);border-bottom:1px solid rgb(240,240,240);vertical-align:middle;font-weight:bold;width:250px"><font color="#F88017">Chain issues</font></td><td class="gmail-tableCell" style="padding:3px 0px;border-bottom:1px solid rgb(240,240,240);vertical-align:middle;word-break:break-word"><font color="#F88017"><b>Incomplete, Extra certs, Contains anchor<br></b></font></td></tr></tbody></table><div><br></div><div>Any ideas?</div><div><br></div><div>James Read</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<br>
Lukas<br>
_______________________________________________<br>
nginx mailing list -- <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
To unsubscribe send an email to <a href="mailto:nginx-leave@nginx.org" target="_blank">nginx-leave@nginx.org</a><br>
</blockquote></div></div>