nginx SSL_do_handshake() failed
mdounin at mdounin.ru
Fri Nov 27 17:16:19 UTC 2015
On Fri, Nov 27, 2015 at 05:41:23PM +0100, Nicholas Wieland wrote:
> > On 27 Nov 2015, at 17:14, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > Make sure to properly configure certificate chains, see
> > http://nginx.org/en/docs/http/configuring_https_servers.html#chains
> > for details.
> I’m not entirely sure I understand why I need a certificate
> chain. The .crt file is what the provider sent me, that’s what I
> use. Should I “chain” the .crt file the provider sent me with
> the RapidSSL bundle? This is for testing and development, I
> don’t really care about performances, a slow solution is
> perfectly fine
Certificate chains are needed, because a typical certificate is
issued by an intermediate CA, while browsers know only about root
CAs. And a web server must supply intermediate CA certificate to a
browser (or other client) for the browser to be able to verify
that the certificate provided by the web server should be trusted.
The link quoted explains how to properly put certs into a
certificate file for things to work, and how to validate that the
result is correct. Normally it's as easy as just concatenating
your server's certificate and the bundle provided by your CA. But
things may vary depending on CA - some CAs may provide incorrect
bundles, or certs in a wrong order within the bundle, or there may
be more than one bundle and you'll have to choose the right one.
That is, it's a good idea to understand what you are doing and
verify that the resulting chain returned by your server contains
all needed certs in the correct order (see "openssl s_client ..."
part of the link).
More information about the nginx