stackoom
  简体   繁体   中英

Nginx install intermediate certificate

 原文  2014-09-09 17:49:39       ssl/ nginx/ certificate

Question

I'm trying to install an intermediate certificate on Nginx ( laravel forge ). Right now the certificate is properly installed, just the intermediate that is missing.

I've seen that I need to concatenate the current certificate with the intermediate. What is the best/safest way to add the intermediate certificate.

Also, if the install of the intermediate failed, can I just roll back to the previous certificate, and reboot nginx? ( the website site is live, so I can't have a too long downtime )

2 answers

solution1
 33 ACCPTED  2014-09-10 15:51:52

Nginx expects all server section certificates in a file that you refer with ssl_certificate . Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this. 

-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----

To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com to /etc/hosts , and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.

When you're done, it is a good idea to use some SSL checker tool to verify (eg this one ). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.

Edit

As @Martin pointed out, the order of certificates in the file is important. RFC 4346 for TLS 1.1 states:

This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it.

Thus the order is:

  • 1. Your domain's certificate
  • 2. Vendor's intermediate certificate that certifies (1)
  • 3. Vendor's intermediate certificate that certifies (2)
  • ...
  • n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.

solution2
 0  2022-02-03 03:19:49

Letsencrypt: fullchain.pem

Same trouble for me. I was using Letsencrypt and, in my Nginx configuration, I needed to NOT use this:

ssl_certificate      /etc/letsencrypt/live/domain.tld/cert.pem;
ssl_certificate_key   /etc/letsencrypt/live/domain.tld/privkey.pem;

But use this:

ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key   /etc/letsencrypt/live/domain.tld/privkey.pem;

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Nginx not serving intermediate certificate Haproxy ssl configuration - install root and intermediate certificate NGinx SSL certificate authentication signed by intermediate CA (chain) nginx ingress - unexpected error generating SSL certificate with full intermediate chain CA certs: Invalid certificate How to install SSL certificate text on Ubuntu nginx SSL Certificate Not Trusted - Intermediate Certificate SSL handshake with intermediate certificate Client SSL with an Intermediate Certificate Intermediate and Root certificate files LetsEncrypt : Intermediate certificate for LetsEncrypt
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM