ssl_trusted_certificate nginx for ocsp stapling. the chain.pem provided by lets encrypt works?
70M+ websites use LE certs.
I'd say... YES.
1 Like
don't use chain, use fullchain.
1 Like
why? is it ok to use it? i got key mismatch when used with ssl_certificate in nginx. does it work for ssl_trusted_certificate?
With nginx you should use key.pem (for ssl_certificate_key) and fullchain.pem (for ssl_certificate)
Ignore both cert.pem and chain.pem.
You don't usually need to set ssl_trusted_certificate.
1 Like
for ocsp stapling. is it not needed if ssl_stapling on;?
i am getting this error using full chain
nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/ssldsrlearn/dsrlearnkey.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
if i didn't use full chain stapling is not possible. what should i do?
It's not needed if you use fullchain.pem when configuring your certificate.
This is another bigger problem. Did you modify your certificates or keys?
1 Like
i checked md5 of key and full chain. both are same. when i use cert.pem without chain it works fine with key.
so i think the problem is chain cert order of certs.
can you tell me the full chain cert order?
They're not supposed to be.
Fullchain is supposed to contain cert and chain in a single file (quite literally cat cert.pem chain.pem > fullchain.pem).
You should restore the fullchain file.
(Apache has a separate directive for the chain, nginx does not.)
1 Like
i solved it. the root cert is placed in last and cert is placed in first. i changed root to first so in order root -> intermediate -> cert. it worked. but again it only worked with ocsp stapling. ssl_certificate in nginx not working with full chain. it only working with base cert. why? if i use full chain in ssl_certificate i am getting above mismatch error.
You did add ssl_stapling_verify on; did you?
1 Like
yes any problem with it?
can i add DNS CAA with lets encrypt . if yes how?
No, it's good.
There is a CAA documentation page on the main Let's Encrypt website, it tells everything you need to know.
1 Like
i am getting incomlete chain issues in ssllabs test. if i use full chain with ssl_certificate it's not working. any solution for this?
Is fullchain still identical to your private key?
I need to understand how that happened.
1 Like
i didn't get it. can you explain what you mean.
how do i know if it's identical?
You said that much.
1 Like
yes they are identical.