Thawte SSL with 3 certificates

Igor Sysoev igor at sysoev.ru
Sun Jun 5 11:30:17 MSD 2011


On Sun, Jun 05, 2011 at 03:12:36AM -0400, ajfisher wrote:
> Hi all,
> 
> After much googling, lots of hair pulling and still no result I'm hoping
> someone here has seen this particular issue or else can help point me in
> a direction that may help resolve it.
> 
> For a site I'm building I need to have SSL enabled - it's ecom. I've
> configured SSL on nginx before without too many problems though did get
> caught out with a Thawte renewal which required the domain certificate
> and the Thawte CA intermediate. Concatenating them into the same file
> resolved the issue and all the sites I've had to do that with are
> working fine. Until now that is...
> 
> On this latest file, Thawte has supplied not one intermediate CA
> certificate but two - a primary and a secondary which need to be
> included.
> 
> I started off in the same vein - creating a file with mine first, then
> the two supplied by thawte - I have tried all the combinations of the
> three certificates and can reliably make it break by moving the domain
> cert out of first position but no combination of the other two appears
> to work - including removal of one or the other.
> 
> Has anyone come across this issue at all with other certificate
> authorities or even Thawte specifically? I'm literally a week from
> launching the site so need to resolve this as certainly in browsers like
> chrome you get the "this website is not secure" error message...
> 
> Weirdly the domain certificate information is available when you enquire
> it in the browser however there's no chaining information available when
> you show the hierarchy. It show's the domain cert as the root
> certificate and it appears like this is where the error is coming from.
> 
> Any ideas what might be causing this effect? 

You may investigate certificate chain using
"openssl s_client -connect ..." as described here:
http://nginx.org/en/docs/http/configuring_https_servers.html#chains


-- 
Igor Sysoev



More information about the nginx mailing list