nginx SSL_do_handshake() failed

Maxim Dounin mdounin at
Fri Nov 27 17:16:19 UTC 2015


On Fri, Nov 27, 2015 at 05:41:23PM +0100, Nicholas Wieland wrote:

> > On 27 Nov 2015, at 17:14, Maxim Dounin <mdounin at> wrote:


> > Make sure to properly configure certificate chains, see 
> >
> > for details.
> I’m not entirely sure I understand why I need a certificate 
> chain. The .crt file is what the provider sent me, that’s what I 
> use. Should I “chain” the .crt file the provider sent me with 
> the RapidSSL bundle? This is for testing and development, I 
> don’t really care about performances, a slow solution is 
> perfectly fine

Certificate chains are needed, because a typical certificate is 
issued by an intermediate CA, while browsers know only about root 
CAs.  And a web server must supply intermediate CA certificate to a 
browser (or other client) for the browser to be able to verify 
that the certificate provided by the web server should be trusted.

The link quoted explains how to properly put certs into a 
certificate file for things to work, and how to validate that the 
result is correct.  Normally it's as easy as just concatenating 
your server's certificate and the bundle provided by your CA.  But 
things may vary depending on CA - some CAs may provide incorrect 
bundles, or certs in a wrong order within the bundle, or there may 
be more than one bundle and you'll have to choose the right one.  
That is, it's a good idea to understand what you are doing and 
verify that the resulting chain returned by your server contains 
all needed certs in the correct order (see "openssl s_client ..." 
part of the link).

Maxim Dounin

More information about the nginx mailing list