Nginx incomplete certificate chain

ownerer · March 7, 2017, 7:08pm

My domain is: media.itgs.be
My operating system is (include version): Windows 10
My web server is (include version): Nginx 1.11.10

Hi there,

I've successfully generated the certificates for my domain using "letsencrypt-win-simple" cli.
I've included the following in my Ngnix config file server block:

listen       443 ssl;
server_name  media.itgs.be;

ssl_certificate "media.itgs.be-crt.pem";
ssl_certificate_key "media.itgs.be-key.pem";

Now my requests to the server run just fine on my desktop, but on my Android device the site is marked insecure.
SSL labs tells me the certificate chain is incomplete, and going on other similar topics I've found (see below), the problem seems to be a missing intermediate certificate.

The solution suggested in those topics is to use the so-called "full chain", however I did not receive any file with such a name.
The files I received are:

ca-0A0141420000015385736A0B85ECA708-crt.der
ca-0A0141420000015385736A0B85ECA708-crt.pem
media.itgs.be-all.pfx
media.itgs.be-crt.der
media.itgs.be-crt.pem
media.itgs.be-csr.pem
media.itgs.be-gen-csr.json
media.itgs.be-gen-key.json
media.itgs.be-key.pem
Registration
Signer

Only one of those remotely sounds like something "full" as in fullchain, being the -all.pfx file.
Under the assumption that that's the one I'm looking for, I tried to convert it to .pem format using openssl, however it requires a password which I don't know where to get.

So given this information, 2 questions:

where is my "fullchain" file?
how do I get it successfully configured in nginx (need pem format)?

Thanks for your feedback!

Osiris · March 7, 2017, 7:12pm

I think ca-0A0141420000015385736A0B85ECA708-crt.pem is your chain certificate.

It has the serial number of the X3 intermediate certificate in its file name:

(…)
Serial Number:
0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Validity
Not Before: Mar 17 16:40:46 2016 GMT
Not After : Mar 17 16:40:46 2021 GMT
Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
(…)

ownerer · March 7, 2017, 8:08pm

when I try that file instead of “media.itgs.be-crt.pem” and then try to reload my nginx config file, I get the following error:

[emerg] SSL_CTX_use_PrivateKey_file("media.itgs.be-key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Osiris · March 7, 2017, 8:08pm

No, that’s the chain certificate. You need that in combination with media.itgs.be-crt.pem.

You might need to combine both manually for nginx: http://nginx.org/en/docs/http/configuring_https_servers.html#chains

ownerer · March 7, 2017, 8:28pm

Fixed it!
Thanks for pointing me in the right direction.
It came down to the following:

Copy contents of media.itgs.be-crt.pem to new file media.itgs.be-fullchain.pem
Append contents of ca-0A0141420000015385736A0B85ECA708-crt.pem to media.itgs.be-fullchain.pem
Change nginx config to:
ssl_certificate "media.itgs.be-fullchain.pem"; ssl_certificate_key "media.itgs.be-key.pem";

Thanks again

system · April 6, 2017, 8:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Solved]Not trusted on mobile, maybe error setting up chain cert Server	10	4013	April 27, 2016
Where can I find the Intermediate certificate Help	14	5289	August 16, 2023
Where is the domain certificate and the intermediate certificates Help	3	1501	February 11, 2017
I facing missing chain issue after I installed with the cert Help	6	661	March 26, 2020
Nginx not finding fullchain.pem Help	12	4151	February 12, 2021

Nginx incomplete certificate chain

Related topics