loading...

If installing SSL certificate on an Nginx webserver - don't forget this step

moyarich profile image moyarich ・2 min read

STUPID BROWSERS ...
I spent way too long troubleshooting an SSL certificate error.
My issue, PostMan would not work, but the URL worked when I visited it using a browser.
Imagine troubleshooting something where there are no useful error messages.

Ok, so how did I fix the problem?

Well, I figured out that I missed a step when I installed the SSL certificate on Nginx. I didn't concatenate the SSL certificate with the intermediate certificate bundle.

I received no useful error messages from the browsers because they have their own certificate bundles. If your server does not provide one, the browser will default to using its own.

How did I find my error, well I had the smart idea to run the URL through an SSL checker. I found the digicert SSL checker, and you know what it told me?

Intermediate certificate missing.

The SSL checker at sslshopper.com, gave me this scary message:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following DigiCert's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.

Why didn't the browser say that? jeez.

The quickest fix on the planet for fixing something that took me a while to troubleshoot

cat ssl_certificate.crt IntermediateCA.crt >> certbundle.pem

--------- POSTMAN error--------------------------------
Could not get any response
There was an error connecting

Why this might have happened:

  • The server couldn't send a response: Ensure that the backend is working properly
  • Self-signed SSL certificates are being blocked: Fix this by turning off 'SSL certificate verification' in Settings > General
  • Proxy configured incorrectly: Ensure that proxy is configured correctly in Settings > Proxy
  • Request timeout: Change request timeout in Settings > General

Don't do this in your Nginx virtual hosts file:

server {
ssl_certificate /etc/ssl/ssl_certificate.crt;
}

Do this instead:

  • Step 1: locate your SSL Certificate and bundle file

For example: ssl_certificate.crt, IntermediateCA.crt

  • Step 2: You need to combine the Server certificate (ssl_certificate.crt) file and the Intermediate CA Certificate (intermediateCA.crt) into a single concatenated file

To get a single concatenated file out of the Intermediate CA and the SSL Certificate run the following command:

cat ssl_certificate.crt IntermediateCA.crt >> certbundle.pem
  • Step 2: Now edit the Nginx virtual hosts file by adding the line below:
ssl_certificate /etc/ssl/certbundle.pem;

Basic Sample of an Nginx virtual hosts file

server {
  listen 443;

  ssl on;
  ssl_certificate /etc/ssl/[concatenated file];
  ssl_certificate_key /etc/ssl/[private key file];

  server_name your.domain.com;
  access_log /var/log/nginx/nginx.vhost.access.log;
  error_log /var/log/nginx/nginx.vhost.error.log;
  location / {
    root /home/www/public_html/your.domain.com/public/;
    index index.html;
  }
}

Discussion

pic
Editor guide
Collapse
moyarich profile image
moyarich Author

Do you use the Apache webserver?

In apache we used to able to use a separate directive SSLCertificateChainFile for the bundle file, but SSLCertificateChainFile is depreciated now.

The SSLCertificateFile directive has been extended to also load the server certificate file plus the intermediate CA certificates


on Windows use the command below to create a PEM format file containing the SSL certificate and the certification chain

copy ssl_certificate.crt + IntermediateCA.crt certbundle.pem /b

In the apache web server virtual host file for SSL add:

SSLCertificateFile "c:/Apache24/conf/ssl/2020/certbundle.pem"

Do not use: --------------------

  • SSLCertificateFile "c:/Apache24/conf/ssl/2020/ssl_certificate.crt"
  • SSLCACertificateFile "c:/Apache24/conf/ssl/2020/IntermediateCA.crt"
Collapse
hassantahir01 profile image
Hassan Tahir

Very helpful tutorial.