Two things you can do:
- Verify the intermediate chain
- Clean up the intermediate chain
Verify the intermediate chain
As the error seems to indicate, there is something off about your intermediate certificate chain. You should check where you got your certificate from and that you got the correct intermediate bundle.
You should verify the "hash" and "issuer's hash" of every certificate in the chain with the openssl x509 -noout -hash
and openssl x509 -noout -issuer_hash
commands. Try this to get the issuer hash of your certificate:
cat /path/to/cert/mysite.com.cert | openssl x509 -noout -issuer_hash
Then try to find a certificate with this hash in the sf_bundle.crt
file that you specified as SSLCertificateChainFile
. You may have to extract the certificates (or just copy paste them to the command):
cat first_cert_from_sf_bundle.crt | openssl x509 -noout -hash
Check all of them. If none have this hash, then something is wrong right there. Keep doing these checks until you find a certificate which has the same -hash
and -issuer_hash
. This is your root certificate.
If something is missing, you can check the other intermediate files here https://certs.starfieldtech.com/anonymous/repository.seam. Download these and compare their -hash
against the -issuer_hash
where you got stuck.
If everything is okay, then ....
Clean up the intermediate chain
I have seen this also help when you get odd validation errors. Make sure that your intermediate chain lists only the required certificates and in the correct order (it is easier if it is in PEM format). In other words, if your chain is Your cert -> cert A -> cert B -> Starfield Root cert
. Try appending these in this order (you can skip the first and last) so your intermediate chain looks something like this:
-----BEGIN CERTIFICATE-----
cert A
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cert B
-----END CERTIFICATE-----
I personally like to keep all these certificates (personal certificate, followed by intermediate ones, followed by the root certificate) in the same file. Then I just specify this file as both the SSLCertificateFile
and SSLCertificateChainFile
.
You could have multiple server blocks. So just add new server block for domains that need HSTS.
server {
listen xx.xx.xxx.xxx:443 ssl default_server;
# all ssl stuff
# and other directives
}
server {
listen xx.xx.xxx.xxx:443 ssl;
server_name example.com other.example.com;
# all ssl stuff
# and other directives with HSTS enabled
}
Here first block will handle all https connections except example.com
and other.example.com
.
And you don't need ssl on
directive if you have ssl
flag in listen
.
EDIT
There is another solution with only one server block:
map $scheme:$host $hsts_header {
default "";
https:example.com "max-age=31536000";
https:other.example.com "max-age=31536000";
}
server {
server_tokens off;
listen xx.xx.xxx.xxx:80;
listen xx.xx.xxx.xxx:443 ssl;
ssl_certificate /etc/ssl/foo.crt;
ssl_certificate_key /etc/ssl/private/foo.key;
ssl_session_timeout 10m;
# ... other ssl stuff
location / {
proxy_pass http://127.0.0.1:81;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Host $host;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security $hsts_header;
}
}
We use map
to define HSTS header value and use the fact, than nginx will not add header with empty value.
Best Answer
Its turned out to be I did wrong key installed interestingly no any browser give me error other than ssl checker websites. I found a website give me correct crt file I just had to replace this with the ssl-bundle VALA! website I used: whatsmychaincert.com