I accidentally modified my original domain.crt Now nginx doesn't start
- Thread starter rdn
- Start date
Marcus
Well-known member
I had the same problem, in the end I just downloaded the root and intermediate certificate again, and did something like "# cat root.crt intermediate.crt > trusted.crt" (putting the output of both root and intermediate into the file trusted.crt). With all the copy and paste I guess I may have modified some of the certificates.
Be sure to have the right root and intermediate certificate.
Don't give up
Keep fighting !
Be sure to have the right root and intermediate certificate.
Don't give up
Keep fighting !
Sheratan
Well-known member
I use startssl for my server ssl
Here's mine (with OSCP)
ssl_certificate is just an ssl.crt without intermediate
ssl_trusted_certificate is root certificate (ca.pem) with intermediate (sub.class1.server.ca.pem)
result
Here's mine (with OSCP)
Code:
ssl on;
ssl_certificate /my_ssl_folder/ssl.crt;
ssl_certificate_key /my_ssl_key_folder/the.key;
ssl_dhparam /my_dhparam_folder/my_pharam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /another_folder/trust.crt;
resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;ssl_certificate is just an ssl.crt without intermediate
ssl_trusted_certificate is root certificate (ca.pem) with intermediate (sub.class1.server.ca.pem)
result
Code:
Protocol Details
Secure RenegotiationSupported
Secure Client-Initiated RenegotiationNo
Insecure Client-Initated RenegotiationNo
BEAST attackMitigated server-side (more info) TLS 1.0: 0xc011
TLS compressionNo
RC4Yes NOT DESIRABLE (more info)
Forward SecrecyYes (with most browsers) ROBUST (more info)
Next Protocol NegotiationYes spdy/2 http/1.1
Session resumption (caching)Yes
Session resumption (tickets)Yes
OCSP staplingYes
Strict Transport SecurityYes max-age=31536000
Long handshake intoleranceNo
TLS extension intoleranceNo
TLS version intoleranceTLS 2.98
SSL 2 handshake compatibilityYesssl_certificate = is just your domain crt
and
ssl_trusted_certificate = root.pem + primary intermediate
That's it?
Null
Well-known member
As I posted before in the other thread, the following is correct...
- ssl_certificate /etc/ssl/example/unified.crt; (example.com.crt + intermediate.crt)
- ssl_trusted_certificate /etc/ssl/example/trusted.crt; (root.pem + intermediate.crt).
That's what I'm using and it didn't work on mine
Sheratan
Well-known member
Yes. For StartSSL.
If you use different SSL, I afraid you need another configuration.
And dhparam is for forward secrecy
Yes, that's what I have there.
Still OCSP is not working.
May I know what's the content of dhparam.pem?
Maybe it could help me.
I have startssl also.
Null
Well-known member
I'm confused, did you get your certificate from StartSSL or RapidSSL? If you're using some files from RapidSSL for a StartSSL certificate (or vice versa), of course you're going to have problems.
Sheratan
Well-known member
dhparam is not really important if your mission is to make OSCP and SSL works fine. It's just for an additional.
You can create dhparam with:
Code:
openssl dhparam -rand -2048 -out your_dhparam.pemThis is true.
Don't mix them.I'm using Rapidssl.
I purchase it.
I have cert of startssl also, but not using now (just for testing before).
- NGINX 1.5.8
- OpenSSL 1.0.1f
I fixed it with my backup.
I purchased ssl here: https://www.namecheap.com/ssl-certificates/geotrust-ssl-certificates.aspx
The $9.49 per year.
I purchase ssl and use https for SPDY alone
# enable ocsp stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/conf.d/ssl-unified.crt;
resolver 8.8.8.8;
Similar threads
