I currently have a Windows server with IIS installed. From the Plesk dashboard, I generate my Let's Encrypt certificate for the domain.
Afterwards, I access my IIS, and in certificates, I export the .PEM file from my domain.
Then, using OpenSSL, I convert this .PEM into two files, the .CRT and the .KEY
With these two files I enable SSL on NGINX. It looks confusing, but it's working fine. Because NGINX I only use to do a reverse proxy for API load balancing.
I would like to know if this is the best way, if when converting the PEM, is there a way to add the intermediate certificate? Because when I try to validate the certificate that hits the NGINX link, it says that there is no intermediate certificate.
Only if that can be automated and if it works, which it sounds like something is missing.
I would try having the system that uses nginx get it's own cert.
I don't know your exact configuration, but I can't think of one that can't be resolved to allow it to do so.
I got a solution to my problem. The error was in the PFX certificate export process and the conversion to CRT and KEY files. in this process I was losing the intermediate certificate. Once converted correctly, Apple devices were able to access the API.
Come on... I currently have a Windows server using IIS. From the Plesk panel, I generate the domain certificate, using the Let's Encrypt plugin. This already enables HTTPS on my website.
So far, so good! Everything working, customers with Iphone, Android, Windows... Access and can view the website's home.
Now the problem starts, I use Nginx for load balancing the APIs inside my server. So I need to enable SSL on it too. Therefore, I export the certificate generated earlier and using OpenSSL to convert it into two files (certificado.crt and certificate.key). These files I use in the Nginx CONF file and that's it. Now my APIs pass through NGINX using the HTTPS protocol. Well, for most customers, at least it works. When any IPhone accesses the site, and tries to make a connection with the API (the one that goes through Nginx) the connections are blocked.
If I get a GET and put it on the link, it tries to access with the DST certificate... what I don't understand is because the home the client can access with HTTPS active, and it's the same certificate, but what goes to the Nginx (API) are blocked.