Opened 4 years ago

Closed 4 years ago

#2125 closed defect (invalid)

ssl_trusted_certificate for parallel ECDSA and RSA usage

Reported by: rdevq@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.19.x
Keywords: Cc:
uname -a: Linux main 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.2
built with OpenSSL 1.1.1d 10 Sep 2019 (running with OpenSSL 1.1.1i 8 Dec 2020)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-Cjs4TR/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-subs-filter

Description

As ECDSA is on it's way to becoming the new standard, it is important to have both ECDSA and (at some point legacy) support for RSA. This setup currently works very well:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.ecdsa.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.ecdsa.pem;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.rsa.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.rsa.pem;

Yet if one uses ssl_trusted_certificate in such a parallel setup, this following does not work:

ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.ecdsa.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.rsa.pem;

Returning the error:

nginx: [emerg] "ssl_trusted_certificate" directive is duplicate in /etc/nginx/sites-enabled/example.com.conf:50

Shouldn't it be also possible to have two certificates available here? Sorry if this is the wrong ticket type, I'm new here.

Change History (2)

comment:1 by rdevq@…, 4 years ago

The nginx version is 1.14.2, not 1.19.x as stated above, eventhough this probably applies to all versions.

comment:2 by Maxim Dounin, 4 years ago

Resolution: invalid
Status: newclosed

You can put multiple CA certificates into the file set with the ssl_trusted_certificate directive.

Note: See TracTickets for help on using tickets.