Nginx – SSL Certificates Throwing Errors Randomly


I purchased a cheap SSL certificate from NameCheap (GeoTrust RapidSSL, to be precise), and many users are complaining that they are getting an "Untrusted SSL certificate" error when visiting the page. I've gotten compalints from the following enviornments:

  • Windows 7 with IE9
  • Windows 7 with latest Chrome
  • Windows Vista with latest Chrome
  • Windows 7 with latest Firefox
  • Windows XP with IE8

However, many users with those configurations experience no problems. I personally use OS X and Windows 7 with Chrome Canary and the latest Firefox (respectively) and have never seen an error.

What could be causing these seemingly inconsistent SSL warnings? I was under the impression that the RapidSSL product was valid in 99+% of browsers, but I constantly hear about invalid certificates from many users.

I am using Nginx 1.4.1 with the following configuration:

listen 443 ssl;
listen [::]:443 ssl default ipv6only=on;
ssl on;
ssl_certificate /path/to/cert.crt
ssl_certificate_key /path/to/cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

Note: I have never heard about an iOS or OS X device throwing the error.

Best Answer

Assuming that your host that is having the issues is the same as the one listed in your provided screenshot, it appears that there may be a few configuration issues that you should look at. A good first place to start, at least in my opinion, is the following site. The host listed in your image was tested and the results can be seen here. A best practices guide can be found here.

Now, on to your original issue. One of the first things that stands out is the notion that your site works only in browsers with SNI support. SNI does not work on Windows XP, even with Internet Explorer 8, since it depends upon particular SCHANNEL components that are OS based and not browser based. More information about browsers and SNI support can be found here. The issues that were observable within your original evidence screenshot also indicated an issue with the certificate chain; which could require changes to your CSR or the way that you implemented the certificate and related intermediate certificates on your web server.

RapidSSL has an excellent walk-through for installing their certificates and it can be found here. There also appears to be a difference when connecting to the site listed in your screenshot from and just That may be something that you want to look into as well.

It looks like you have a couple more things to look at and once they are resolved, it should help with some of the issues you were originally seeing. I hope that this helps.