Opened 8 years ago
Closed 8 years ago
#998 closed defect (invalid)
Intermediate cert is not sent to client with recent
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | nginx-core | Version: | 1.10.x |
| Keywords: | ssl tls | Cc: | |
| uname -a: | Linux jenkins-master 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.10.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' |
||
Description
I was preparing to replace a Alphassl DV wildcard TLS cert issued last year with one issued about a month ago. The old and new certs are signed with the same intermediate. Testing was OK with web browsers which have cached the Alphassl intermediate cert. However, curl, openssl, etc. all fail to validate the new cert. After about a day of hair pulling, I have determined that nginx is not returning the intermediate cert when using the new cert, despite it being present and in the proper order in the ssl_certificate file. To be pedantic, changing only the publicly signed cert and private key causes nginx to mysteriously stop returning the intermediate to clients. The debug log traces appear almost identically between the two certs. I have tried enabling/disabling OCSP with no change in behavior.
The new cert does have a slightly different policy attached to it but both versions are accepted by openssl's verify sub-command. I have to conclude that either alphassl is issuing certs with bad metadata, nginx is not correctly handling tls policy metadata, or both.
Attachments (10)
Change History (11)
by , 8 years ago
| Attachment: | cert-chain.pem-new added |
|---|
by , 8 years ago
| Attachment: | root-chain.pem added |
|---|
ssl_trusted_certificate (shared between new/old cert)
comment:1 by , 8 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
The cert-chain.pem-new file is obviously corrupted, it doesn't contain the "-----END CERTIFICATE-----" line after the first certificate.
new tls cert