Nginx incomplete certificate chain


#1

My domain is: media.itgs.be
My operating system is (include version): Windows 10
My web server is (include version): Nginx 1.11.10

Hi there,

I’ve successfully generated the certificates for my domain using “letsencrypt-win-simple” cli.
I’ve included the following in my Ngnix config file server block:

listen       443 ssl;
server_name  media.itgs.be;

ssl_certificate "media.itgs.be-crt.pem";
ssl_certificate_key "media.itgs.be-key.pem";

Now my requests to the server run just fine on my desktop, but on my Android device the site is marked insecure.
SSL labs tells me the certificate chain is incomplete, and going on other similar topics I’ve found (see below), the problem seems to be a missing intermediate certificate.


The solution suggested in those topics is to use the so-called “full chain”, however I did not receive any file with such a name.
The files I received are:

ca-0A0141420000015385736A0B85ECA708-crt.der
ca-0A0141420000015385736A0B85ECA708-crt.pem
media.itgs.be-all.pfx
media.itgs.be-crt.der
media.itgs.be-crt.pem
media.itgs.be-csr.pem
media.itgs.be-gen-csr.json
media.itgs.be-gen-key.json
media.itgs.be-key.pem
Registration
Signer

Only one of those remotely sounds like something “full” as in fullchain, being the -all.pfx file.
Under the assumption that that’s the one I’m looking for, I tried to convert it to .pem format using openssl, however it requires a password which I don’t know where to get.

So given this information, 2 questions:

  1. where is my “fullchain” file?
  2. how do I get it successfully configured in nginx (need pem format)?

Thanks for your feedback!


#2

I think ca-0A0141420000015385736A0B85ECA708-crt.pem is your chain certificate.

It has the serial number of the X3 intermediate certificate in its file name:

(…)
Serial Number:
0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Validity
Not Before: Mar 17 16:40:46 2016 GMT
Not After : Mar 17 16:40:46 2021 GMT
Subject: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
(…)


#4

when I try that file instead of “media.itgs.be-crt.pem” and then try to reload my nginx config file, I get the following error:

[emerg] SSL_CTX_use_PrivateKey_file("media.itgs.be-key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)


#5

No, that’s the chain certificate. You need that in combination with media.itgs.be-crt.pem.

You might need to combine both manually for nginx: http://nginx.org/en/docs/http/configuring_https_servers.html#chains


#6

Fixed it!
Thanks for pointing me in the right direction.
It came down to the following:

  1. Copy contents of media.itgs.be-crt.pem to new file media.itgs.be-fullchain.pem
  2. Append contents of ca-0A0141420000015385736A0B85ECA708-crt.pem to media.itgs.be-fullchain.pem
  3. Change nginx config to:
    ssl_certificate "media.itgs.be-fullchain.pem"; ssl_certificate_key "media.itgs.be-key.pem";

Thanks again :slight_smile:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.