Opened 3 years ago
Closed 3 years ago
#2125 closed defect (invalid)
ssl_trusted_certificate for parallel ECDSA and RSA usage
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | 1.19.x |
| Keywords: | Cc: | ||
| uname -a: | Linux main 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.14.2
built with OpenSSL 1.1.1d 10 Sep 2019 (running with OpenSSL 1.1.1i 8 Dec 2020) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-Cjs4TR/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-echo --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-Cjs4TR/nginx-1.14.2/debian/modules/http-subs-filter |
||
Description
As ECDSA is on it's way to becoming the new standard, it is important to have both ECDSA and (at some point legacy) support for RSA. This setup currently works very well:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.ecdsa.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.ecdsa.pem; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.rsa.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.rsa.pem;
Yet if one uses ssl_trusted_certificate in such a parallel setup, this following does not work:
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.ecdsa.pem; ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.rsa.pem;
Returning the error:
nginx: [emerg] "ssl_trusted_certificate" directive is duplicate in /etc/nginx/sites-enabled/example.com.conf:50
Shouldn't it be also possible to have two certificates available here? Sorry if this is the wrong ticket type, I'm new here.
Change History (2)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
You can put multiple CA certificates into the file set with the ssl_trusted_certificate directive.
Note:
See TracTickets
for help on using tickets.
The nginx version is 1.14.2, not 1.19.x as stated above, eventhough this probably applies to all versions.