Nginx + SSL from Network Solutions

Feb03

These days you need an intermediate cert when using an SSL. Last time I set up a cert from Network Solutions, this intermediate cert was clearly named. This time around they issued quite a few certs and it made it confusing.

  • AddTrustExternalCARoot.crt
  • MY.DOMAIN.COM.crt
  • NetworkSolutions_CA.crt
  • UTNAddTrustServer_CA.crt

The two certs we care about here are MY.DOMAIN.COM.crt, my site's ssl cert, and NetworkSolutions_CA.crt, Network Solution's intermediate key.

Ok, now the tricky part. With old Apache, there was a specific directive for defining the intermediate cert. Nginx participates in no such thing. With Nginx we just need to cat our two certs together.


cat MY.DOMAIN.COM.crt NetworkSolutions_CA.crt > combined.crt

Now just add this to your conf with:

ssl_certificate /usr/local/nginx/certs/combined.crt;

Popularity: 12% [?]

You can skip to the end and leave a response. Pinging is currently not allowed.

4 Thoughts

  1. It sounds nice in theory, but this is what I get in practice:

    [emerg] 35168#0: SSL_CTX_use_PrivateKey_file("/etc/certs/NetworkSolutions_CA.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)

    nginx by default wants a key or pem file, which is why I'm having a rough time integrating with NetSolutions. May just have to go back to Apache on this one
    Jason Meyer - March 7th, 2009 at 10:49 am

  2. Jason,

    On the ssl_certificate_key line you need to specify the private key file that you created when you created the CSR. That will get rid of the error. It looks like you are loading the NetworkSolutions_CA.crt file instead.
    Robert - May 4th, 2009 at 10:44 am

  3. Robert,

    Thanks for the tip. Unfortunately, I'm getting this error:

    [emerg] 21363#0: SSL_CTX_use_certificate_chain_file("/etc/ssl/certs/example.com.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)

    Any ideas?
    John - May 11th, 2009 at 5:57 pm

  4. The fix is simple - a linefeed is needed between your domain cert and the intermediate key. The command:

    cat MY.DOMAIN.COM.crt NetworkSolutions_CA.crt > combined.crt

    doesn't place a linefeed between the two certificates and this is what causes the error on restarting nginx.

    It took me way to long to figure this out.
    John - May 12th, 2009 at 4:02 pm

Share Your Thoughts?

Please excuse my captcha. But the internets require it these days. Comment triage isn’t billable.