Nginx não envia cadeia de certificados

Question

Nginx não envia cadeia de certificados

#1 resposta do (6 votos)

2

Eu tenho o seguinte certificado (o primeiro é meu, os outros dois são do Comodo PositiveSSL):

E a seguinte configuração do nginx:

server {
        listen       80 default_server;
        server_name  tiendaganadera.com www.tiendaganadera.com;
        root         /var/www/tiendaganadera.com;

        #charset koi8-r;

        #access_log  /var/log/nginx/host.access.log  main;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            index index.php;
        }

        # redirect server error pages to the static page /40x.html
        #
        error_page  404              /404.html;
        location = /40x.html {
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
        }
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }

    rewrite ^/tienda/(.*)$ /$1 permanent;

    if ($request_uri ~ /(Smarty-2.6.19|payment|admin|provider|partner)/) {
        break;
    }

    if ($request_uri ~ \.(gif|jpe?g|png|js|css|swf|php|ico)$) {
        break;
    }

    if (!-e $request_filename) {
        rewrite ^(.*)$ /dispatcher.php last;
    }

}

server {
        listen       443 default ssl;
        server_name  tiendaganadera.com www.tiendaganadera.com;
        root         /var/www/tiendaganadera.com;

        ssl on;
        ssl_certificate     /etc/nginx/ssl/tiendaganadera.com.crt;
        ssl_certificate_key /etc/nginx/ssl/tiendaganadera.com.key;
        ssl_protocols       TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        #charset koi8-r;

        #access_log  /var/log/nginx/host.access.log  main;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            index index.php;
        }

        # redirect server error pages to the static page /40x.html
        #
        error_page  404              /404.html;
        location = /40x.html {
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
        }
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }

    rewrite ^/tienda/(.*)$ /$1 permanent;

    if ($request_uri ~ /(Smarty-2.6.19|payment|admin|provider|partner)/) {
        break;
    }

    if ($request_uri ~ \.(gif|jpe?g|png|js|css|swf|php|ico)$) {
        break;
    }

    if (!-e $request_filename) {
        rewrite ^(.*)$ /dispatcher.php last;
    }

}

Mas eu corro o openssl s_client -connect tiendaganadera.com:443 -servername tiendaganadera.com e o resultado é:

CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = tiendaganadera.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = tiendaganadera.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = tiendaganadera.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=tiendaganadera.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFWTCCBEGgAwIBAgIPPZlYpZLvxHV+Rsy+qSD/MA0GCSqGSIb3DQEBCwUAMIGQ
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE2MDQGA1UE
AxMtQ09NT0RPIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTE1MDIwODAwMDAwMFoXDTIwMDIwNzIzNTk1OVowVjEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQLEwtQb3NpdGl2ZVNTTDEbMBkG
A1UEAxMSdGllbmRhZ2FuYWRlcmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAv7cwKm7ssjSakyeRFrYi303RnGbnif3+mmfyGCWRCtmmbZpxTrFg
CVhFJwcuD0Gd4JkwPXk7GOuY93mhT+Zry1gDCSrAZpaSshV+Osg8bC4DJmil/ZBe
/HF2pH0j7XajyYYZjLUQgY8NAuCAW62ArgUL1oBQTZfH1EMM4HSYHoy4so437Glp
SwsCQnePokdyMnx/4Y9uPxkC7nZiJr1n6Ue7thXGTkayxsw9sdeBBsG/fk42U/nW
JAINeRRM+5BKGqyj5tOINDUMAC+4XAAibVnnvFuvhInQ4t6pmP34vigkhXkpgp/6
IoA31BXT7SP1FK/AI3CaymO/PbF3AsBbdQIDAQABo4IB5zCCAeMwHwYDVR0jBBgw
FoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFIdRYyYSTjLGCYxfU/wO
0+j0SFMbMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCsw
KQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeB
DAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9D
T01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggr
BgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA1BgNVHREELjAsghJ0
aWVuZGFnYW5hZGVyYS5jb22CFnd3dy50aWVuZGFnYW5hZGVyYS5jb20wDQYJKoZI
hvcNAQELBQADggEBACFMKXGU1ECzff4ORsJMM9tCHYijcrxLNddP7acCFGwhkj3D
7Z3w2drDTYlVEIr84S+4w4QW61LvalwoFo2M0jjTabnsOM323VppPTyXvIUN0nZP
q/IVPtDTVOXgz7bbGDCXCkza2PXBRVvGgr+MhUmZ5OkHsnwU5BB9BXoX3rAS1ZSP
dhf1g3QYLekz14p53gtcBxbiqQVlLTyjJM/4qlDuRSQrysK665H42x7pch+i4VOn
b/5NE85soX/QToKP+cE+rF2DWb6jFjYvUcuh2hHKwRd4gg923S5XWsxsHHCHppcG
4ZZ/CmpDTpxxq61IA5aqYEKrlhKaWBkT6GV+tZ4=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=tiendaganadera.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2043 bytes and written 402 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 48003BE87D4EA04D8F60A4838BF7CC4B0FAA821A4ABF2347726E9D86BAAFEC8F
    Session-ID-ctx:
    Master-Key: CB66470AC61552D63B68EB78678A210CC1AFF4175B25E4FEFB6A9A416CA4FE0A191487F3EE432B4FB88FF3E171A46452
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 67 37 af 40 7d b4 06 5e-92 ed 10 a1 eb cf fd c8   g7.@}..^........
    0010 - 4d a4 b7 1a 39 e0 04 e4-dc b5 c0 65 aa 60 0e f7   M...9......e.'..
    0020 - 86 91 24 b3 d8 54 48 47-12 94 02 ae 0a 4f e7 d0   ..$..THG.....O..
    0030 - 63 1a c6 56 59 b0 a2 74-73 57 9d b5 76 b8 04 39   c..VY..tsW..v..9
    0040 - 88 fb 4f bb 6b a6 e2 c2-92 a3 36 22 d1 7c 51 8f   ..O.k.....6".|Q.
    0050 - 9a e6 ab 94 a5 a5 51 6d-0a 8c 6d 24 af 9b ac 9b   ......Qm..m$....
    0060 - 0e 57 d6 27 94 86 9f 09-b3 54 7a b5 00 30 19 6d   .W.'.....Tz..0.m
    0070 - 4c 25 67 45 f5 74 e7 24-c7 02 bc c0 8f 10 38 76   L%gE.t.$......8v
    0080 - 20 98 7e e6 05 f8 1d da-68 aa b2 66 3d f9 2b 5b    .~.....h..f=.+[
    0090 - cf 6b 6f 7f d7 1e f2 77-7c b9 8b 32 0a 6d 8a 18   .ko....w|..2.m..
    00a0 - 99 61 ce b1 a3 ce 97 aa-6b 4e 32 06 eb 14 67 9f   .a......kN2...g.

    Start Time: 1423599873
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Então, o nginx está enviando apenas o primeiro, aparentemente. Por que isso?

ssl tls nginx https

por autrilla 10.02.2015 / 21:25

1 resposta

Tags ssl tls nginx https

Dell Poweredge 1850 - preso - Pressione CtrlM para executar a tela Utilitário de configuração :( Por que o sqlservr.exe está sendo executado?

score 6 · Accepted Answer

Você tem os seguintes certificados em sua lista (nessa ordem):

 #L Subject: ... CN=tiendaganadera.com
    Issuer:  ... CN=COMODO RSA Domain Validation Secure Server CA

 #A Subject: ... CN=COMODO RSA Certification Authority
    Issuer:  ... CN=AddTrust External CA Root

 #B Subject: ... CN=COMODO RSA Domain Validation Secure Server CA
    Issuer:  ... CN=COMODO RSA Certification Authority

 #R Subject: ... CN=AddTrust External CA Root
    Issuer:  ... CN=AddTrust External CA Root

Obviamente, a ordem não corresponde. O primeiro certificado #L é corretamente o certificado da folha. Mas o seguinte certificado #A não assina #L como você pode ver pelo fato de que o assunto de #A não corresponde ao emissor de #L. Em vez disso, #B assina #L e #A assina #B e #R assina #A. #R então é o certificado raiz que não deve ser incluído.

Para corrigir:

folha #L como o primeiro
move #B para cima, de modo que seja diretamente depois de #L
move #A para baixo para que seja diretamente depois de #B
remove #R porque o certificado raiz não deve ser incluído (normalmente será ignorado se incluído, mas é um estilo ruim).