Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Nginx install intermediate certificate

Tags:

I'm trying to install an intermediate certificate on Nginx ( laravel forge ). Right now the certificate is properly installed, just the intermediate that is missing.

I've seen that I need to concatenate the current certificate with the intermediate. What is the best/safest way to add the intermediate certificate.

Also, if the install of the intermediate failed, can I just roll back to the previous certificate, and reboot nginx? ( the website site is live, so I can't have a too long downtime )

like image 258
Flash-Square Avatar asked Sep 09 '14 17:09

Flash-Square

2 Answers

Nginx expects all server section certificates in a file that you refer with ssl_certificate. Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this.

-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----

To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com to /etc/hosts, and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.

When you're done, it is a good idea to use some SSL checker tool to verify (e.g. this one). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.

Edit

As @Martin pointed out, the order of certificates in the file is important. RFC 4346 for TLS 1.1 states:

This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it.

Thus the order is:

  • 1. Your domain's certificate
  • 2. Vendor's intermediate certificate that certifies (1)
  • 3. Vendor's intermediate certificate that certifies (2)
  • ...
  • n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.
like image 149
saaj Avatar answered Oct 06 '22 06:10

saaj

Letsencrypt: fullchain.pem

Same trouble for me. I was using Letsencrypt and, in my Nginx configuration, I needed to NOT use this:

ssl_certificate      /etc/letsencrypt/live/domain.tld/cert.pem;
ssl_certificate_key   /etc/letsencrypt/live/domain.tld/privkey.pem;

But use this:

ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key   /etc/letsencrypt/live/domain.tld/privkey.pem;
like image 45
Jesse Steele Avatar answered Oct 06 '22 05:10

Jesse Steele
Sign in to Comment

Related questions

How to put TODO comments in xml?
How to toggle a highlighted selected item in a group list
What's the proper index for querying structures in arrays in Postgres jsonb?
Create a virtualenv with both python2 and python3
Jasmine have createSpy() return mock object
Missing Gradle Project Information. Please check if the IDE successfully synchronized its state with the Gradle Project Model
IE11 detect whether compatibility view is ON via javascript
How to Submit Form on Select Change
Remove all elements from a list after a particular value
R ggplot boxplot: change y-axis limit
Android studio emulator fails to start with memory limit related error message
Suddenly when running tests I get "TypeError: 'NoneType' object is not iterable

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!