Verisign Intermediate CA issues

Igor Sysoev is at rambler-co.ru
Sat Jan 24 18:11:15 MSK 2009 

On Fri, Jan 23, 2009 at 01:02:45PM -0800, James Ochs wrote:

> Hi all,
> 
> We have a verisign ssl cert and I've configured nginx with the .crt  
> file containing our cert and the verisign intermediate cert (in that  
> order in the file)

It seems that you get wrong Verisign intermediate cert:

 0 s:/C=US/ST=California/L=Redwood City/O=GreenNote, Inc/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=www.greennote.com
   i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

www.greennote.com is issued by 

   /O=VeriSign Trust Network/OU=VeriSign, Inc.
   /OU=VeriSign International Server CA - Class 3
   /OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

but the second certificate is

   /C=US
   /O=VeriSign, Inc.
   /OU=VeriSign Trust Network
   /OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA 

> In MacOs  safari, both on the desktop and the iphone, I am getting  
> certificate errors (can't verify the identity).  Firefox on the same  
> platform says the certificate is ok, and IE in most cases says it is  
> ok.  I have had a couple of reports of IE7 complaining about the  
> validity of the certificate, but that has been sporadic.  I've also  
> checked it with curl (on linux and macos) and it complains as follows:
> 
> curl https://www.greennote.com
> curl: (60) Peer certificate cannot be authenticated with known CA  
> certificates
> 
> Does anyone have any ideas of why this would happen?
> 
> My nginx.conf has this for ssl:
> 
>             ssl                  on;
>             ssl_certificate      /etc/nginx/www.crt;
>             ssl_certificate_key  /etc/nginx/prod.key;
> 
>             ssl_session_timeout  10m;
>             ssl_session_cache    shared:SSL:10m;
> 
>             ssl_protocols  SSLv3 TLSv1;
>             ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:! 
> LOW:!SSLv2:+EXP;
>             ssl_prefer_server_ciphers   on;
> 
> This problem was not happening on our hardware load balancers with the  
> same certificate, so I'm at a loss as to what to try next.
> 
> thanks,
> james
> 
> -- 
> James Ochs
> Network Operations Manager
> james.ochs at greennote.com
> KeyID: 0x6E7BBE9D
> 

-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list