Incomplete chain when using NGINX 1.8.0 and 1.9.9


#1

Ubuntu 14.04 (3.13.0-24-generic)
NOTE: When using NGINX 1.4.6 with this same config, I am able to get an A+ on SSL Labs.

When using NGINX 1.8.0 (stable) and 1.9.9 (development), I get “Chain issues - Incomplete” on SSL Labs with the same config file I’ve been using. Why is this happening? Is this a Let’s Encrypt cert signing issue?

NOTE: In my config, there is one line specifically changed when using 1.4.6 vs the others:
listen 443 ssl spdy;. spdy is not compatible with 1.9.9 and 1.4.6 doesn’t support http2. From what I’ve seen, this has no bearing on the certificate issue.

server {
    listen 80;
    listen 443 ssl http2;

    server_name dev.mysite.com;

    keepalive_timeout 70;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/dev.mysite.com/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.mysite.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/dev.mysite.com/fullchain.pem;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    # ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AESGCM:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:!aNULL:!MD5';
    ssl_prefer_server_ciphers on;

    # resolver 127.0.0.1 valid=300s;
    # resolver 8.8.8.8 8.8.4.4 valid=1s;
    # resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    access_log /var/log/nginx/dev.mysite.com.access.log;
    error_log /var/log/nginx/dev.mysite.com.error.log;

    location / {
        proxy_pass http://127.0.0.1:37453/;
    }
}

What do you think is causing this issue?


#2

I would recommend setting ssl_certificate to fullchain.pem and removing ssl_trusted_certificate. The latter is only needed when you want to verify client certificates (and most people don’t need that). According to the documentation, the intermediate certificate in fullchain.pem provided to ssl_certificate will also suffice for OCSP stapling.

The documentation on ssl_trusted_certificate says it doesn’t send the intermediate to the client.

Why the same configuration did work with your previous versions, I don’t know. I also don’t know if nginx has different manuals for different versions like Apache does, so you could compare different behaviour of the commands.


#3

Looks like swapping those certs did it for me! Awesome thanks :).

Since I’m having an issue w/ OCSP (w/ this config) and wanted to make it easy to find for someone else, I posted another thread here: NGINX OCSP not responding