Comodo InstantSSL with Nginx refuses to work

user683812 asked:

I have a problem that I’m about to just give up on. I’ve spent weeks trying every possible solution including Comodo signing a new cert for me.

The setup is Nginx (latest, stable) using a Comodo PositiveSSL certitifcate. I’ve followed various guides to get the PEM files and everything seems to … kinda work.

The Nginx config file is (in /etc/nginx/sites-enabled/):

server {

    listen 443;

    ssl on;
    ssl_certificate /etc/nginx/ssl/crm.markdain.net.pem;
    ssl_certificate_key /etc/nginx/ssl/crm.markdain.net.key;

    server_name crm.markdain.net;

    access_log /home/mark/www-logs/crm.markdain.net/secure-access.log;
    error_log /home/mark/www-logs/crm.markdain.net/secure-error.log;

    ssl_protocols               SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
    ssl_prefer_server_ciphers   on;

    keepalive_timeout 60;

    ssl_session_timeout 5m;

    location / {
            root /home/mark/www/crm.markdain.net;
            index index.php;
    }

    location ~ .php$ {
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /home/mark/www/crm.markdain.net$fastcgi_script_name;
            include fastcgi_params;
    }

    location ~ /.ht { deny all; }
    location ~ ^/error_reports/ { deny all; }

}

OpenSSL returns “No client certificate CA names sent”, which I’m not sure is an issue.

Here’s the main problem:

Just going to the domain https:// crm.markdain.net/ – All browsers fail (Chrome, Firefox, Opera, Safari).
Going to https:// www.crm.markdain.net/ – Suddenly everyone is happy.

Both domains return “Assessment failed: No secure protocols supported” on SSL labs and to make things more odd, Lynx is fine with both domains – It seems like everyone has a different response. This is the first time I’ve had to setup SSL and I’m now out of ideas as to why this is happening.


I answered:

You should have received two files from Comodo when you were sent your SSL certificate. The first being your signed certificate itself, the second being a CA bundle.

If you didn’t receive both of these, go back to wherever you got the certificate and complain.

Once you have them both, you need to concatenate them together into a chain before supplying the result to nginx:

cat crm.markdain.net.crt crm.markdain.net.ca-bundle > crm.markdain.net-bundle.crt

Supply the resulting file as the ssl_certificate to nginx.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.