What cer/key files I should use with nginx?


#1

Hi,
I have used GetSSL to get certificates.
But I actually got 5 files:

  • DOMAIN_CERT_LOCATION=“moto.courses.crt”
  • DOMAIN_KEY_LOCATION=“moto.courses.key”
  • CA_CERT_LOCATION=“chain.crt”
  • DOMAIN_CHAIN_LOCATION=“domain.crt”
  • DOMAIN_PEM_LOCATION=“domain.pem”

And … what I actually should use in nginx configuration?
All my guesses end up with net::ERR_CONNECTION_REFUSED in the browser.

I am using next configuration at the moment:

upstream motocourses {
        server 127.0.0.1:3004;
}

server {
        listen *:80;
        listen [::]:80;

        server_name moto.courses;
        proxy_set_header Host moto.courses;
        location / {
                rewrite ^(.*)$ https://moto.courses$1 permanent;
        }
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;

        ssl on;
        ssl_certificate         path/moto.courses.crt;
        ssl_certificate_key     path/moto.courses.key;

        gzip             on;
        gzip_min_length  1000;
        gzip_proxied     expired no-cache no-store private auth;
        gzip_types       text/css text/html application/json;

        error_log path/moto.courses.error.log; #p
        access_log path/moto.courses.access.log; #p

        server_name moto.courses www.moto.courses;

        add_header Strict-Transport-Security max-age=500;

        location / {
                proxy_pass  http://motocourses;
                proxy_redirect off;
                proxy_set_header Host $host ;
                proxy_set_header X-Real-IP $remote_addr ;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
                proxy_set_header X-Forwarded-Proto https;
        }
}

#2

Well, the key is easy–it should be moto.courses.key. Nginx expects to see the intermediate cert(s) and server cert in the same file, and the output you posted from GetSSL is not at all clear about which file that would be, but my guess would be domain.pem, or possibly domain.crt.


#3

ssl_certificate moto.courses.key;
ssl_certificate_key chain.crt;

root@li350-157:/websites/nginx/conf# nginx -t
nginx: [warn] duplicate MIME type "text/html" in /websites/nginx/conf/moto.courses.conf:27
nginx: [emerg] SSL_CTX_use_PrivateKey_file("moto.courses.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /websites/nginx/nginx.conf test failed

ssl_certificate moto.courses.key;
ssl_certificate_key domain.crt;

pass nginx -t but in browser i still got SEC_ERROR_UNKNOWN_ISSUER in gecko and NET::ERR_CERT_AUTHORITY_INVALID in blink.

ssl_certificate moto.courses.key;
ssl_certificate_key domain.pem;

same here.


#4

(I do not maintain GetSSL but I read the documentation and I know about PKI)

For nginx my understanding would be

ssl_certificate_key moto.courses.key
ssl_certificate domain.crt

I think you’ve got the key and certificate flipped around probably from not thinking about what you’re typing :slight_smile:


#5

Hi @SilentImp,

The right file for nginx directive ssl_certificate is the one defined in DOMAIN_CHAIN_LOCATION variable, in your case domain.crt and this is what we call fullchain.

Do you know that you issued your cert against staging server instead of production?. I mean, your cert has been issued by Fake LE Intermediate X1 that is a test CA and is not valid. You should change the getssl configuration file.

Right now you should have this:

# The staging server is best for testing (hence set as default)
CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v01.api.letsencrypt.org"

And you should change it to use prod instead of staging and reissue your cert

# The staging server is best for testing (hence set as default)
#CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
CA="https://acme-v01.api.letsencrypt.org"

Cheers,
sahsanu


#6

Hi, thanks for pointing it out.
I have try

ssl_certificate_key moto.courses.key
ssl_certificate domain.crt

and it pass nginx -t, but don’t actually work for some reason. Keep getting NET::ERR_CERT_AUTHORITY_INVALID on https://moto.courses/


#7

OU! That’s clearing it out! Thank you, i will try to fix this.


#8

It’s works now, thanks alot!
With all best Regards.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.