id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
998	Intermediate cert is not sent to client with recent	jhoblitt@…		"I was preparing to replace a Alphassl DV wildcard TLS cert issued last year with one issued about a month ago.  The old and new certs are signed with the same intermediate.  Testing was OK with web browsers which have cached the Alphassl intermediate cert.  However, curl, openssl, etc. all fail to validate the new cert.  After about a day of hair pulling, I have determined that nginx is not returning the intermediate cert when using the new cert, despite it being present and in the proper order in the `ssl_certificate` file.  To be pedantic, changing only the publicly signed cert and private key causes nginx to mysteriously stop returning the intermediate to clients. The debug log traces appear almost identically between the two certs.  I have tried enabling/disabling OCSP with no change in behavior.

The new cert does have a slightly different policy attached to it but both versions are accepted by openssl's verify sub-command. I have to conclude that either alphassl is issuing certs with bad metadata, nginx is not correctly handling tls policy metadata, or both."	defect	closed	critical		nginx-core	1.10.x	invalid	ssl tls		"Linux jenkins-master 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
"	"nginx version: nginx/1.10.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
"