Ubuntu Nginx SSL – How to Fix ‘Unable to Get Local Issuer Certificate’

nginxsslUbuntu

I have a SSL certificate that is valid for *.example.com. I have been able to set up this SSL certificate on IIS correctly for subdomain.example.com.

But I'm having problems on ubuntu 16.04 server and nginx.

I've created key and certificate files using open SSL from a pfx file. then added a sample site to nginx. Here is my nginx config.

server {

 listen 443 ssl;
 server_name subdomain2.example.com subdomain2.example.com;
 ssl_certificate /etc/nginx/cert.crt;
 ssl_certificate_key /etc/nginx/cert.rsa;

 root /subdomain2/test;
 index index.html;
 include /etc/nginx/mime.types;
}

It works fine on browsers. But when I try to make a request with curl or using python requests library I get following error

unable to get local issuer certificate

If iI disable ssl verification on python requests lib I get correct response but I don't want to disable this verification.

What am I doing wrong?

Best Answer

You should concatenate in your server certificate file also the intermediate certificates. Check here for Q/A about this issue

As @Martin pointed out, the order of certificates in the file is important. RFC 4346 for TLS 1.1 states:

This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it.

Thus the order is:
1. Your domain's certificate
2. Vendor's intermediate certificate that certifies (1)
3. Vendor's intermediate certificate that certifies (2)
...
n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.

Check also this RFC for precise definitions

Related Solutions

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

NginX + WordPress + SSL + non-www + W3TC vhost config file questions

Please don't post multiple questions in one.

The first step, when you don't know how something works, is to search for the documentation. In the case of nginx, directives are exhaustively explained through the official documentation directive index.

It depends on the location block nature. Prefixed location blocks order is not important, but regex location blocks order is, since the first one matching the request URI will be picked.
Configuration directives order does not matter except for few cases like if blocks. Gzip directives are not part of these.
In fact ssl on is the old way to do it and the listen directive parameter ssl is the new one. The usage of ssl on forces the server block to accept HTTPS only while the usage of the listen directive parameter allows to handle both HTTP and HTTPs in the same server block.
Actually you explicitely asked nginx to do this. Another way to have the same result is using return 301 https://domain.com$request_uri. The rewrite patten ^(.*) matches all URIs and capture them. Then it rewrites them permanently (301 redirect) to https://domain.com<uri>. Refer to the documentation to understand how the rewrite directive works if you are confused.
Opinion-based questions do not fit SF standards.

Best Answer

Related Solutions

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

NginX + WordPress + SSL + non-www + W3TC vhost config file questions

Related Topic