I had a problem setting up SSL on a 32-bit Debian 6.0 server. I am relatively new with SSL, so please bear with me. I include as much information as possible. Note. The true domain name has been changed to protect the identity and integrity of the server.
Configuration
The server is running using nginx. It is configured as follows:
ssl_certificate /usr/local/nginx/priv/mysite.ca.chained.crt; ssl_certificate_key /usr/local/nginx/priv/mysite.ca.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_verify_depth 2;
I bound my certificate using the method described here
cat mysite.ca.crt bundle.crt > mysite.ca.chained.crt
where mysite.ca.crt is the certificate provided to me by the subscription authority, and bundle.crt is the CA certificate also sent to me by my authorized person. The problem is that I did not purchase the SSL certificate directly from GlobalSign, but instead through my Singlehop hosting provider.
Testing
The certificate is validated correctly in Safari and Chrome, but not in Firefox. An initial search revealed that this could be a problem with CA.
I researched the answer to a similar question , but could not find a solution, since I do not quite understand what is the meaning of each certificate.
I used openssl s_client to test the connection and got an output that seems to indicate the same problem as a similar question . The error is as follows:
depth=0 /OU=Domain Control Validated/CN=*.mysite.ca verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/CN=*.mysite.ca verify error:num=27:certificate not trusted verify return:1
Detailed information on openssl's answer (with certificates and unnecessary information) can be found here .
I also see a warning:
No client certificate CA names sent
Is it possible that this is a problem? How can I guarantee that nginx sends these CA names?
Attempts to solve the problem.
I tried to solve the problem by loading the root CA directly from GlobalSign, but got the same error. I updated the root CA on my Debian server using the update-ca-certificates command, but nothing has changed. This is probably because the CA sent from my provider was correct, so it led to a double certificate connection, which does not help.
0 s:/OU=Domain Control Validated/CN=*.mysite.ca i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 1 s:/O=AlphaSSL/CN=AlphaSSL CA - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA 2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Next steps
Please let me know if there is anything that I can try, or if I just misconfigured everything.