Nginx doesn’t support intermediate certs as separate files, so you’ll need to concatenate your intermediate cert and your server cert together to create a chain certificate:
cat server_certificate.pem intermediate_cert.pem > chain_cert.pem
Nginx doesn’t support intermediate certs as separate files, so you’ll need to concatenate your intermediate cert and your server cert together to create a chain certificate:
cat server_certificate.pem intermediate_cert.pem > chain_cert.pem
Thank you for the guide. Still works in May 2018.
Just for a later newbie like me:
I used godady ssl certificate. Godaddy will give you two .crt files. One is a randomly named file like “bd1ab39ff96d6ed5.crt”, another one is “gd_bundle-g2-g1.crt”. The randomly named one is “Your PositiveSSL Certificate”, and the “gd_bundle-g2-g1.crt” is (godaddy’s, I guess) “Intermediate CA Certificate” as mentioned below. If you get them in the wrong order, you will get a key values mismatch error. Check here for more.
What does it mean?
I have intermediate.crt how can i concatenate the cert files?
From all I remember doing this years ago, it simply copying and pasting a bunch of chunks into a single file.
I do however recommend just forgetting about this mess and going with lets encrypt.
I just installed a new instance of discourse on one of our machines and placing the certificates as per your recommendations does not work.
Every-time I need to relaunch the application, I need to copy the SSL certificates over in order to get Nginx to accept them:
cp /root/certificates/<fqdn>* /var/discourse/shared/standalone/ssl/
where the /root/certificates
folder contains the following files:
# ls -lha /root/certificates/<fqdn>*
-rw-r--r-- 1 root root 1.5K Mar 26 14:52 /root/certificates/<fqdn>.cer
-rw-r--r-- 1 root root 1.5K Mar 26 15:36 /root/certificates/<fqdn>_ecc.cer
-rw------- 1 root root 1.7K Mar 26 15:37 /root/certificates/<fqdn>_ecc.key
-rw------- 1 root root 1.7K Mar 26 14:51 /root/certificates/<fqdn>.key
Two points are surprising me:
ssl
folder: <fqdn>.[cer|key]
and <fqdn>_ecc.[cert|key]
_ecc
certificates and the regular ones ?Cheers,
Emmanuel
First, the usual question: what is the reason you’re going through this process, rather than using automatically renewing certs via Let’s Encrypt? Manual certs are more complicated, require a deeper knowledge of Linux system administration and cryptography, and of course aren’t free.
What are the certs? Have you looked at them? The only thing I can think of that would be creating certs automatically is Let’s Encrypt. If they’re being created, they should be valid…
ECC is Elliptic Curve Cryptography, a type of key algorithm. Presumably that cert uses the ECDSA algorithm while the “regular” one uses a different algorithm.
What does your app.yml
look like? Do you have the letsencrypt template installed for some reason? That could be overwriting your certs, maybe.
What do the invalid ones look like?
You are absolutely right. Unfortunately, our instance is not accessible from the internet (people need to connect through VPN to access it)…
Due to GDPR restrictions and various local laws about confidential information, it is usually easier to prevent access from Internet…
I left the default in the app.yml
which uses Let’s Encrypt. This was certainly an error from my side. The key is an empty file. I believe it comes from the fact that Let’s Encrypt fails to connect back to the machine.
Since you’re not using Let’s Encrypt, you should not use let’s encrypt, so just delete or comment out that template from your app.yml
.
Also, you can edit your posts rather than replying to yourself a bunch of times.
Thanks for the reply. You are right the Let’s Encrypt template is activated.
That was it. Thanks!
Sorry about the replies to myself. I just wanted to quote the portion of you answer so you would know which part of your answer I was referring to.
Glad you got it. FYI (we’re all here to learn) you can repeatedly select text and click quote–even if you navigate to other topics!
Thank you. It works great!
Is there a command option to install a new TLS certificate without running “./launcher rebuild app”?
I ask because our servers are running on v2.4.0beta5 with a custom plugin that breaks on anything after v2.5. When I run “./launcher rebuild app,” my system magically gets upgraded to v2.6.0.beta1
I understand the right way to go about this would be to hire a developer to re-write the plugin for v2.6.0beta1, but the TLS cert expires in a month, and I feel concerned that I may not have enough time for them to complete the work.
Sure is, look at my posts from January in this topic.
If you’re using a standard install, it’ll renew on a couple of days.
Thank you for getting back to me so quickly. I used ./launcher restart app
- and it picked up the renewed Comodo/Sectigo TLS cert without any problems! LIFESAVER. I will sleep better tonight.
Thanks for this guide. I am running into a bizarre problem when trying to use an external NGINX on the same server.
I did the following:
However, I am getting the “mixed content” warning and it’s only for a single resource: /uploads/default/optimized/1X/_129430568242d1b7f853bb13ebea28b3f6af4e7_2_512x512.png
. This appears to be the site icon. I can’t figure out why this single image is being served over http while everything else is https…
edit: I fixed it by uploading a new site icon. I was using the default that it shipped with previously…
I encountered the same problem in the same scenario. Seems wrong that some assets use the wrong scheme, even if they are replaceable
If it is ERR_TIMEOUT, check out the safety group, add https-443 rule on server, e.g. AWS EC2. It works for my situation.