I'm trying to install an intermediate certificate on Nginx ( laravel forge ). Right now the certificate is properly installed, just the intermediate that is missing.
I've seen that I need to concatenate the current certificate with the intermediate. What is the best/safest way to add the intermediate certificate.
Also, if the install of the intermediate failed, can I just roll back to the previous certificate, and reboot nginx? ( the website site is live, so I can't have a too long downtime )
Nginx expects all server section certificates in a file that you refer with ssl_certificate. Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this.
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com to /etc/hosts, and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.
When you're done, it is a good idea to use some SSL checker tool to verify (e.g. this one). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.
As @Martin pointed out, the order of certificates in the file is important. RFC 4346 for TLS 1.1 states:
This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it.
Thus the order is:
fullchain.pem
Same trouble for me. I was using Letsencrypt and, in my Nginx configuration, I needed to NOT use this:
ssl_certificate      /etc/letsencrypt/live/domain.tld/cert.pem;
ssl_certificate_key   /etc/letsencrypt/live/domain.tld/privkey.pem;
But use this:
ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key   /etc/letsencrypt/live/domain.tld/privkey.pem;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With