nginx SSL_do_handshake() failed

Nicholas Wieland ngw at
Fri Nov 27 16:41:23 UTC 2015

> On 27 Nov 2015, at 17:14, Maxim Dounin <mdounin at> wrote:
> Hello!
> On Fri, Nov 27, 2015 at 04:54:29PM +0100, Nicholas Wieland wrote:
>> it's the first time I configure an SSL certificate on my development machine (I'm no sysadmin - I need SSL to work with facebook). I decided to go with ngingx proxying a ruby sinatra application, nothing fancy.
>> This is the error I get when Facebook tries to connect to my HTTP server. AFAIK nginx is the culprit here:
>> 2015/11/26 15:42:03 [info] 42872#0: *3 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client:, server:
>> This is what I did:
>> Downloaded the cert (a .key, a .crt and a .csr) from RapidSSL
>> Downloaded the trusted cert from RapidSSL ( and saved locally under /etc/ssl/cert/
>> Installed locally nginx and configured like this:
>> Restarted both nginx and puma respectively on port 4567 and 8080
>> Went to, the app responded as expected, the connection was encrypted and the certificate appears to be the correct one.
>> Went to Facebook and attempted to register a new page subscription ( Had the error reported on the top (SSL_do_handshake() failed) when Facebook attempted to validate my callback url
>> Any suggestion?
> Make sure to properly configure certificate chains, see 
> <> 
> for details.

I’m not entirely sure I understand why I need a certificate chain. The .crt file is what the provider sent me, that’s what I use. Should I “chain” the .crt file the provider sent me with the RapidSSL bundle? This is for testing and development, I don’t really care about performances, a slow solution is perfectly fine


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list