Incomplete chain when using NGINX 1.8.0 and 1.9.9

Saturn2888 · January 8, 2016, 3:22am

Ubuntu 14.04 (3.13.0-24-generic)
NOTE: When using NGINX 1.4.6 with this same config, I am able to get an A+ on SSL Labs.

When using NGINX 1.8.0 (stable) and 1.9.9 (development), I get “Chain issues - Incomplete” on SSL Labs with the same config file I’ve been using. Why is this happening? Is this a Let’s Encrypt cert signing issue?

NOTE: In my config, there is one line specifically changed when using 1.4.6 vs the others:
listen 443 ssl spdy;. spdy is not compatible with 1.9.9 and 1.4.6 doesn’t support http2. From what I’ve seen, this has no bearing on the certificate issue.

server {
    listen 80;
    listen 443 ssl http2;

    server_name dev.mysite.com;

    keepalive_timeout 70;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/dev.mysite.com/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.mysite.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/dev.mysite.com/fullchain.pem;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    # ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AESGCM:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:!aNULL:!MD5';
    ssl_prefer_server_ciphers on;

    # resolver 127.0.0.1 valid=300s;
    # resolver 8.8.8.8 8.8.4.4 valid=1s;
    # resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    access_log /var/log/nginx/dev.mysite.com.access.log;
    error_log /var/log/nginx/dev.mysite.com.error.log;

    location / {
        proxy_pass http://127.0.0.1:37453/;
    }
}

What do you think is causing this issue?

Osiris · January 8, 2016, 3:39am

I would recommend setting ssl_certificate to fullchain.pem and removing ssl_trusted_certificate. The latter is only needed when you want to verify client certificates (and most people don’t need that). According to the documentation, the intermediate certificate in fullchain.pem provided to ssl_certificate will also suffice for OCSP stapling.

The documentation on ssl_trusted_certificate says it doesn’t send the intermediate to the client.

Why the same configuration did work with your previous versions, I don’t know. I also don’t know if nginx has different manuals for different versions like Apache does, so you could compare different behaviour of the commands.

Saturn2888 · January 8, 2016, 3:51am

Looks like swapping those certs did it for me! Awesome thanks :).

Since I’m having an issue w/ OCSP (w/ this config) and wanted to make it easy to find for someone else, I posted another thread here: NGINX OCSP not responding

Topic		Replies	Views
NGINX OCSP not responding Server	4	3565	January 9, 2016
SSLLabs saying "This server's certificate chain is incomplete." Help	48	506	August 23, 2024
Will/does the letsencrypt client create a cert chain usable with OCSP stapling? Server	18	25577	January 14, 2016
Including intermediate certificates from Letsencrypt in Nginx SSL setup Help	6	4635	February 14, 2021
Certs and chain saved, but installation not completed - server_name Help	5	683	November 11, 2018

Incomplete chain when using NGINX 1.8.0 and 1.9.9

Related topics