SSL certificate chain

Daniel Lundqvist daniel at malarhojden.nu
Mon Sep 2 13:08:16 UTC 2013 

So … mysteries solved. I believe.

A few things was wrong for me:

1) I had a catch all virtual host using the same certificate file as main site (configured both with a "invalid" server name and default_server for both HTTP and HTTPS)

2) It seems virtual server is also selected based on CN/SubjectAltName from certificate which I did not know (is this correct? Seem so from my testing)

So I changed the certificate on catch all virtual server to self signed and now everything seems to be ok.

Sorry for taking up your time with my misconfigured server. At least I learned something :)

-- 
daniel

On 2 sep 2013, at 19:12, Steve Wilson <lists-nginx at swsystem.co.uk> wrote:

> On 2013-09-02 11:59, Daniel Lundqvist wrote:
>> I have, it just says only 1 certificate is provided. Here are the test
>> results:
>> https://www.ssllabs.com/ssltest/analyze.html?d=www.malarhojden.nu
> ...
> 
> I note that you're using startcom for the certificate, I recall that the intermediate certificate they say to use isn't actually the one provided and had to complete the certificate chain myself.
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.stevewilson.co.uk
> 
> To build up my pem I started with the crt and key, then running "openssl x509 -in cert.pem -noout -text" I was then able to download the correct intermediate using the "CA Issuers - URI" provided in the certificate. Appending this to the pem and retesting. Repeating the process for each certificate until it became valid.
> 
> Authority Information Access:
>                OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
>                CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt
> 
> It might be worth checking if your intermediate matches the above sub.class1.server.ca.crt one.
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4145 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20130902/1a9a9c35/attachment.bin>

More information about the nginx mailing list