CODEWITHSUNDEEP
sslnginxhttpshosting
user3358259
user3358259

Reputation: 43

Certificate signed by Intermediate shows as self-signed certificate

I'm currently in the process of migrating the hosting of a service of mine from a Managed hosting (running Lighspeed + Cpanel) to my own Managed hosting, running Nginx.

Everything is running fine in Nginx 1.6.0, but my problem is that my certificate shows as self-signed. I installed the SSL certificate including the chained certificate as per http://www.digicert.com/ssl-certificate-installation-nginx.htm

However, even trying the configuration on NGinx SSL certificate authentication signed by intermediate CA (chain) it does not work.

If I input my website on http://sslcheck.globalsign.com/en_US it shows as it's a self-signed certificate.

Below is my virtual host configuration regarding SSL:

server {
    listen       80;
    listen  443 ssl;

    server_name    host02.website.com *.website.com;
    root           /spacedata/website.com;
    index index.php index.html /;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA;
    ssl_session_cache shared:SSL:10m;

    add_header Strict-Transport-Security max-age=31536000;

    ssl_certificate /etc/pki/tls/certs/bundle-alpha.crt;
    ssl_certificate_key /etc/pki/tls/certs/private.key;
    ...
}

I confirm that I installed the right Cert and Private Keys.

Bear in mind that I run the AlphaSSL Wildcard certificate.

I suspect that I'm missing something in regards to the configuration as in my other hosting I installed the same .crt file and .key.

Upvotes: 1

Views: 1161

Answers (1)

Arron
Arron

Reputation: 916

I had the same issue before, had todo with the order of the certs that reside inside your ssl_certificate file. You need to include all intermediate CA certs in this file, and have them in the right order. All I had to do was reverse the order of the certs within that file, and my problem was solved.

Your server cert should be on top, then simply go down the CA chain.

PS. My config looks like:

listen 443 default ssl;
ssl_certificate /etc/nginx/ssl/server_plus.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

Upvotes: 1

Related Questions