As I understand you have set up both sites to use SSL on the same IP:port?
In general only 1 certificate can be bound to IP:port pair unless server is capable of Server Name Indication (nginx is) and configured to support it (Internet Explorer supports it from v7 I believe).
Try configuring it: http://nginx.org/en/docs/http/configuring_https_servers.html#sni ... or bind subdomain to a different IP:port pair (i.e. same IP but different port (e.g. 45454) or different IP).
Two things you can do:
- Verify the intermediate chain
- Clean up the intermediate chain
Verify the intermediate chain
As the error seems to indicate, there is something off about your intermediate certificate chain. You should check where you got your certificate from and that you got the correct intermediate bundle.
You should verify the "hash" and "issuer's hash" of every certificate in the chain with the openssl x509 -noout -hash
and openssl x509 -noout -issuer_hash
commands. Try this to get the issuer hash of your certificate:
cat /path/to/cert/mysite.com.cert | openssl x509 -noout -issuer_hash
Then try to find a certificate with this hash in the sf_bundle.crt
file that you specified as SSLCertificateChainFile
. You may have to extract the certificates (or just copy paste them to the command):
cat first_cert_from_sf_bundle.crt | openssl x509 -noout -hash
Check all of them. If none have this hash, then something is wrong right there. Keep doing these checks until you find a certificate which has the same -hash
and -issuer_hash
. This is your root certificate.
If something is missing, you can check the other intermediate files here https://certs.starfieldtech.com/anonymous/repository.seam. Download these and compare their -hash
against the -issuer_hash
where you got stuck.
If everything is okay, then ....
Clean up the intermediate chain
I have seen this also help when you get odd validation errors. Make sure that your intermediate chain lists only the required certificates and in the correct order (it is easier if it is in PEM format). In other words, if your chain is Your cert -> cert A -> cert B -> Starfield Root cert
. Try appending these in this order (you can skip the first and last) so your intermediate chain looks something like this:
-----BEGIN CERTIFICATE-----
cert A
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cert B
-----END CERTIFICATE-----
I personally like to keep all these certificates (personal certificate, followed by intermediate ones, followed by the root certificate) in the same file. Then I just specify this file as both the SSLCertificateFile
and SSLCertificateChainFile
.
Best Answer
Your certificate has the following "Subject Alternative Names" (SAN):
Firefox does not like entry 2, as it considers
mainserver
a TLD and aborts there; the following entries are not checked, so yourfw1.mgmt.ctb.co.at
never matches entry 3.I solved a similar problem in our domain be re-ordering the SANs and putting all FQDNs first; you should move your entry 2 to the end.
Firefox issues of interest