Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Steps to install a Comodo PositiveSSL certificate with Nginx.

Setting up a SSL Cert from Comodo

I use Namecheap.com as a registrar, and they resale SSL Certs from a number of other companies, including Comodo.

These are the steps I went through to set up an SSL cert.

Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx [2]:

  1. Combine the above crt files into a bundle (the order matters, here):

    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
    
  2. Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
    mv ssl-bundle.crt /etc/nginx/ssl/example_com/
    
  3. Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/
    
  4. Make sure your nginx config points to the right cert file and to the private key you generated earlier:

    server {
        listen 443;
    
        ssl on;
        ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;
    
        # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
        # ...
    
    }
    
  1. Restart nginx.
[1]I purchased mine through Namecheap.com.
[2]Based on these instructions: http://goo.gl/4zJc8
@allaire

This comment has been minimized.

Show comment
Hide comment

allaire commented Jan 24, 2014

Thanks!

@cliftonlabrum

This comment has been minimized.

Show comment
Hide comment
@cliftonlabrum

cliftonlabrum Feb 25, 2014

Great tutorial, thank you!

Great tutorial, thank you!

@full-of-foo

This comment has been minimized.

Show comment
Hide comment
@full-of-foo

full-of-foo Mar 4, 2014

Helpful! πŸ‘

Helpful! πŸ‘

@bscutt

This comment has been minimized.

Show comment
Hide comment
@bscutt

bscutt Mar 16, 2014

Thanks - that was a great help!

bscutt commented Mar 16, 2014

Thanks - that was a great help!

@monecchi

This comment has been minimized.

Show comment
Hide comment
@monecchi

monecchi May 26, 2014

Great tutorial it helped me a lot on getting started with the main steps. Thanks! Anyway, sorry for the newbie question, but how am I supposed to execute the commands which will combine the crt files into a bundle? I mean, Do I have to upload the crt files first to the root directory of my server and then execute the command on a terminal app? I use Mac OSX and I use the Terminal.app to ssh on my server

Great tutorial it helped me a lot on getting started with the main steps. Thanks! Anyway, sorry for the newbie question, but how am I supposed to execute the commands which will combine the crt files into a bundle? I mean, Do I have to upload the crt files first to the root directory of my server and then execute the command on a terminal app? I use Mac OSX and I use the Terminal.app to ssh on my server

@rmdort

This comment has been minimized.

Show comment
Hide comment
@rmdort

rmdort Jul 21, 2014

To fix Firefox showing This connection is untrusted you need to create the bundle with all these files

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

Additionallly, you can disable SSL 2, in the server{ } block

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

Test your site here https://www.ssllabs.com/ssltest/index.html

rmdort commented Jul 21, 2014

To fix Firefox showing This connection is untrusted you need to create the bundle with all these files

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

Additionallly, you can disable SSL 2, in the server{ } block

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

Test your site here https://www.ssllabs.com/ssltest/index.html

@wesmattson

This comment has been minimized.

Show comment
Hide comment
@wesmattson

wesmattson Jul 30, 2014

I also used namecheap to purchase my PositiveSSL cert last night. Read what rmdort posted above, that is what finally got this working for me. Thanks rmdort and bradmontgomery!

I also used namecheap to purchase my PositiveSSL cert last night. Read what rmdort posted above, that is what finally got this working for me. Thanks rmdort and bradmontgomery!

@minhhahl

This comment has been minimized.

Show comment
Hide comment
@minhhahl

minhhahl Aug 5, 2014

I am using COMODO certification. I have done as @rmdort said.

I've run ssltest on web application and it found "Chain issues - Contains anchor" (section "Additional Certificates (if supplied)")

In this link http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor
They said that the root certification (AddTrustExternalCARoot.crt) should not included in ssl-bundle.crt because it is included in client. It is maybe the reason for "Chain issues - Contains anchor".

Does any one have any idea about this point? Should we include root certification or not?

minhhahl commented Aug 5, 2014

I am using COMODO certification. I have done as @rmdort said.

I've run ssltest on web application and it found "Chain issues - Contains anchor" (section "Additional Certificates (if supplied)")

In this link http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor
They said that the root certification (AddTrustExternalCARoot.crt) should not included in ssl-bundle.crt because it is included in client. It is maybe the reason for "Chain issues - Contains anchor".

Does any one have any idea about this point? Should we include root certification or not?

@dltj

This comment has been minimized.

Show comment
Hide comment
@dltj

dltj Sep 16, 2014

@minhhahl -- For what it's worth, that StackExchange post was right on. I combined the domain's cert, COMODORSADomainValidationSecureServerCA.crt and COMODORSAAddTrustCA.crt into one file (leaving off AddTrustExternalCARoot.crt) and my site passed the SSL labs test.

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt

dltj commented Sep 16, 2014

@minhhahl -- For what it's worth, that StackExchange post was right on. I combined the domain's cert, COMODORSADomainValidationSecureServerCA.crt and COMODORSAAddTrustCA.crt into one file (leaving off AddTrustExternalCARoot.crt) and my site passed the SSL labs test.

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt
@goethewins

This comment has been minimized.

Show comment
Hide comment
@goethewins

goethewins Nov 1, 2014

Do you add BOTH intermediate certs to the bundle???
which first? 1 and then 2?

COMODO RSA Certification Authority
COMODO RSA Domain Validation Secure Server CA

?

Do you add BOTH intermediate certs to the bundle???
which first? 1 and then 2?

COMODO RSA Certification Authority
COMODO RSA Domain Validation Secure Server CA

?

@dylanvalade

This comment has been minimized.

Show comment
Hide comment
@dylanvalade

dylanvalade Jan 15, 2015

My certificate zip included 4 files. I used cat to chain all 4 files together and it worked correctly - a pretty green lock in the browser address bar.
cat domain.crt intermediate1.crt intermediate2.crt authority.crt > domain.chained.crt

Suggested addition to the Gist in response to @dillchuk's comment about verifying:

6. Restart nginx.

Test to see if your new configuration is valid (if test fails to go step 7)
sudo service nginx configtest

If configtest passes without errors then reload
sudo service nginx reload

7. Testing your .key, .csr and chained .crt files with openssl CLI

The output of these three commands should be an identical hash. If one is different, you will see an error when running nginx configtest.

Sample output
Modulus=CC9DE72...99C4564AA985E28877D

Test key
openssl rsa -noout -modulus -in example.com.key

Test CSR
openssl req -noout -modulus -in example.com.csr

Test original crt and bundled crt separately. I find that 50% of the time I've uploaded the wrong .crt (old from same domain) and didn't realize it. The rest of the time it has either bundled the wrong files or the wrong order.
openssl x509 -noout -modulus -in example_com.crt
openssl x509 -noout -modulus -in ssl-bundled.crt

My certificate zip included 4 files. I used cat to chain all 4 files together and it worked correctly - a pretty green lock in the browser address bar.
cat domain.crt intermediate1.crt intermediate2.crt authority.crt > domain.chained.crt

Suggested addition to the Gist in response to @dillchuk's comment about verifying:

6. Restart nginx.

Test to see if your new configuration is valid (if test fails to go step 7)
sudo service nginx configtest

If configtest passes without errors then reload
sudo service nginx reload

7. Testing your .key, .csr and chained .crt files with openssl CLI

The output of these three commands should be an identical hash. If one is different, you will see an error when running nginx configtest.

Sample output
Modulus=CC9DE72...99C4564AA985E28877D

Test key
openssl rsa -noout -modulus -in example.com.key

Test CSR
openssl req -noout -modulus -in example.com.csr

Test original crt and bundled crt separately. I find that 50% of the time I've uploaded the wrong .crt (old from same domain) and didn't realize it. The rest of the time it has either bundled the wrong files or the wrong order.
openssl x509 -noout -modulus -in example_com.crt
openssl x509 -noout -modulus -in ssl-bundled.crt

@CCrashBandicot

This comment has been minimized.

Show comment
Hide comment
@CCrashBandicot

CCrashBandicot Mar 3, 2015

thanks helpful ! (y)

thanks helpful ! (y)

@reustle

This comment has been minimized.

Show comment
Hide comment
@reustle

reustle Mar 13, 2015

Thanks @dltj, that works perfectly for fixing the untrusted ssl error on chrome mobile.

reustle commented Mar 13, 2015

Thanks @dltj, that works perfectly for fixing the untrusted ssl error on chrome mobile.

@bradmontgomery

This comment has been minimized.

Show comment
Hide comment
@bradmontgomery

bradmontgomery Mar 14, 2015

Thanks to everyone who's left updated comments, here: @rmdort, @minhhahl, @dltj, @dylanvalade. You've all been a huge help!

I've recently chained all 4 files together, and things seem to be ok, but I do also get the Chain issues Contains anchor warning at the SSL labs test.

cat www_bradmontgomery_net.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

I've also disabled both SSLv2 and SSLv3, using only TLS in nginx:

# NO SSLv3, it's vulnerable to POODLE, see: http://goo.gl/zS3QXH
ssl_protocols TLSv1 TLSv1.1 TLSv1.2

I should probably update the original document.

Owner

bradmontgomery commented Mar 14, 2015

Thanks to everyone who's left updated comments, here: @rmdort, @minhhahl, @dltj, @dylanvalade. You've all been a huge help!

I've recently chained all 4 files together, and things seem to be ok, but I do also get the Chain issues Contains anchor warning at the SSL labs test.

cat www_bradmontgomery_net.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

I've also disabled both SSLv2 and SSLv3, using only TLS in nginx:

# NO SSLv3, it's vulnerable to POODLE, see: http://goo.gl/zS3QXH
ssl_protocols TLSv1 TLSv1.1 TLSv1.2

I should probably update the original document.

@nblavoie

This comment has been minimized.

Show comment
Hide comment
@dbosen

This comment has been minimized.

Show comment
Hide comment
@dbosen

dbosen Mar 26, 2015

Implement Strict Transport Security to get an A+

dbosen commented Mar 26, 2015

Implement Strict Transport Security to get an A+

@cboettig

This comment has been minimized.

Show comment
Hide comment
@cboettig

cboettig Apr 1, 2015

Great help and great thread. I had to add Forward Security:

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

and also add Strict Transport Security:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

to get this to an A+

cboettig commented Apr 1, 2015

Great help and great thread. I had to add Forward Security:

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

and also add Strict Transport Security:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

to get this to an A+

@dillchuk

This comment has been minimized.

Show comment
Hide comment
@dillchuk

dillchuk Apr 15, 2015

Just great, that finally got it. Just wondering, is there a way to test on the CLI? Something like:

openssl verify bundle.crt my.key

Just great, that finally got it. Just wondering, is there a way to test on the CLI? Something like:

openssl verify bundle.crt my.key

@eadz

This comment has been minimized.

Show comment
Hide comment
@eadz

eadz May 7, 2015

@bradmontgomery I believe that warning is due to adding the 'AddTrustExternalCARoot' which is already included in your browser. Removing that cert removes the warning for me.

eadz commented May 7, 2015

@bradmontgomery I believe that warning is due to adding the 'AddTrustExternalCARoot' which is already included in your browser. Removing that cert removes the warning for me.

@ghuntley

This comment has been minimized.

Show comment
Hide comment
@ghuntley

ghuntley May 20, 2015

Handy reference but be aware of the sneaky affiliate link πŸ˜„

Handy reference but be aware of the sneaky affiliate link πŸ˜„

@dovy

This comment has been minimized.

Show comment
Hide comment
@dovy

dovy May 25, 2015

So useful. They should just ship us one precompiled like GoDaddy. Bah.

dovy commented May 25, 2015

So useful. They should just ship us one precompiled like GoDaddy. Bah.

@adam-weber

This comment has been minimized.

Show comment
Hide comment
@adam-weber

adam-weber Jun 5, 2015

Very useful, thanks!

Very useful, thanks!

@coyotespike

This comment has been minimized.

Show comment
Hide comment
@coyotespike

coyotespike Jul 21, 2015

I have like 5 SSL tutorials open right now, and this is the best. Thanks!

I have like 5 SSL tutorials open right now, and this is the best. Thanks!

@Hates

This comment has been minimized.

Show comment
Hide comment
@Hates

Hates Jul 28, 2015

Brilliant. Thanks a lot! πŸ‘

Hates commented Jul 28, 2015

Brilliant. Thanks a lot! πŸ‘

@mailmevenkat

This comment has been minimized.

Show comment
Hide comment
@mailmevenkat

mailmevenkat Aug 9, 2015

Thanks a lot! Worked with Websockets (NodeJS) too πŸ‘

Thanks a lot! Worked with Websockets (NodeJS) too πŸ‘

@b-a-t

This comment has been minimized.

Show comment
Hide comment
@b-a-t

b-a-t Aug 25, 2015

Somehow I keep ending up on this page all the time, so seems it's a popular answer to the problem with Comodo certificates and nginx. Unfortunatelly, with the recent enough(2015) Qualys.com SSL test the given instructions lead either to "Chain issues: Contains anchor" or "Extra download". After a bit more digging I came down to the recipie that makes SSL test happy.

To avoid anchor error you should ommit Root CA certificate from the bundle. So, bundle should contain:

 cat example.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt

If you ommit COMODORSAAddTrustCA.crt from the bundle you'll get rid of anchor error, but will get "extra download" warning.

If you want(and you do!) to get OCSP stapling enabled on your server, then you'd need full certificates chain to be available to the server. To work around the problem described above, nginx has another directive that makes certificate known to the server, but not sent to the client - ssl_trusted_certificate.

cat AddTrustExternalCARoot.crt > trusted.crt

And final config should contain those lines:

ssl_protocols                           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                             ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers               on;
ssl_stapling                            on;
ssl_stapling_verify                     on;

ssl_dhparam                             "/etc/nginx/certs/dhparam.pem";
ssl_certificate                         "/etc/nginx/certs/ssl-bundle.crt";
ssl_trusted_certificate                 "/etc/nginx/certs/trusted.crt";
ssl_certificate_key                     "/etc/ssl/private/example.com.key";

ssl_session_cache                       shared:SSL:10m;
ssl_session_timeout                     10m;
  1. How to fix "Chain issues:contains anchor"
  2. ssltest: Chain issues - Contains anchor
  3. How to fix "Extra download"
  4. Multiple certificate paths
  5. What is wrong with my SSL trust chain?
  6. SSL Certificate Chain Resolver - handy tool to build correct certificates chain

b-a-t commented Aug 25, 2015

Somehow I keep ending up on this page all the time, so seems it's a popular answer to the problem with Comodo certificates and nginx. Unfortunatelly, with the recent enough(2015) Qualys.com SSL test the given instructions lead either to "Chain issues: Contains anchor" or "Extra download". After a bit more digging I came down to the recipie that makes SSL test happy.

To avoid anchor error you should ommit Root CA certificate from the bundle. So, bundle should contain:

 cat example.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt

If you ommit COMODORSAAddTrustCA.crt from the bundle you'll get rid of anchor error, but will get "extra download" warning.

If you want(and you do!) to get OCSP stapling enabled on your server, then you'd need full certificates chain to be available to the server. To work around the problem described above, nginx has another directive that makes certificate known to the server, but not sent to the client - ssl_trusted_certificate.

cat AddTrustExternalCARoot.crt > trusted.crt

And final config should contain those lines:

ssl_protocols                           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                             ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers               on;
ssl_stapling                            on;
ssl_stapling_verify                     on;

ssl_dhparam                             "/etc/nginx/certs/dhparam.pem";
ssl_certificate                         "/etc/nginx/certs/ssl-bundle.crt";
ssl_trusted_certificate                 "/etc/nginx/certs/trusted.crt";
ssl_certificate_key                     "/etc/ssl/private/example.com.key";

ssl_session_cache                       shared:SSL:10m;
ssl_session_timeout                     10m;
  1. How to fix "Chain issues:contains anchor"
  2. ssltest: Chain issues - Contains anchor
  3. How to fix "Extra download"
  4. Multiple certificate paths
  5. What is wrong with my SSL trust chain?
  6. SSL Certificate Chain Resolver - handy tool to build correct certificates chain
@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Sep 12, 2015

Thanks a lot!
It wasn't that easy to come by the correct procedure (by that, I mean, in which order to concatenate the cert files).

ghost commented Sep 12, 2015

Thanks a lot!
It wasn't that easy to come by the correct procedure (by that, I mean, in which order to concatenate the cert files).

@kevindeasis

This comment has been minimized.

Show comment
Hide comment
@kevindeasis

kevindeasis Sep 12, 2015

is "ssl on" deprecated? and it might be a good idea to have "listen 443 ssl";

is "ssl on" deprecated? and it might be a good idea to have "listen 443 ssl";

@trilobit

This comment has been minimized.

Show comment
Hide comment
@trilobit

trilobit Sep 27, 2015

Thanks a lot! πŸ‘

Thanks a lot! πŸ‘

@abhishesh

This comment has been minimized.

Show comment
Hide comment
@abhishesh

abhishesh Sep 28, 2015

Thanks Bro !

Thanks Bro !

@alexandruhera

This comment has been minimized.

Show comment
Hide comment
@alexandruhera

alexandruhera Oct 8, 2015

Hi guys!

I just got a ssl cert from comodo, but for some reason the chain doesnt work, i've tried every method.
I'm running nginx 1.9.5 with hhvm.

I've made a bundle like this:

cat alexhera_me.crt comodorsadomainvalidationsecureserverca.crt comodorsaaddtrustca.crt > ssl-bundle.crt

and the other one
cat addtrustexternalcaroot.crt > trusted.crt

So,the first one I've added to ssl_certificate in nginx config.
The second is the ssl_trusted_certificate.

But when I save the config file and restart the server I get this error.

  • Restarting nginx nginx nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/ssl-bundle.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
    nginx: configuration file /etc/nginx/nginx.conf test failed

Hi guys!

I just got a ssl cert from comodo, but for some reason the chain doesnt work, i've tried every method.
I'm running nginx 1.9.5 with hhvm.

I've made a bundle like this:

cat alexhera_me.crt comodorsadomainvalidationsecureserverca.crt comodorsaaddtrustca.crt > ssl-bundle.crt

and the other one
cat addtrustexternalcaroot.crt > trusted.crt

So,the first one I've added to ssl_certificate in nginx config.
The second is the ssl_trusted_certificate.

But when I save the config file and restart the server I get this error.

  • Restarting nginx nginx nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/ssl-bundle.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
    nginx: configuration file /etc/nginx/nginx.conf test failed
@ianrobrien

This comment has been minimized.

Show comment
Hide comment
@ianrobrien

ianrobrien Oct 14, 2015

@alexandruhera make sure that your lines end with semicolon ; and that /etc/nginx/ssl/ssl-bundle.crt exists.

You can test config with nginx -t

@alexandruhera make sure that your lines end with semicolon ; and that /etc/nginx/ssl/ssl-bundle.crt exists.

You can test config with nginx -t

@natesymer

This comment has been minimized.

Show comment
Hide comment
@natesymer

natesymer Oct 18, 2015

This is where you can get the root & intermediate certs (they're no longer included in the emailed zip file)

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

This is where you can get the root & intermediate certs (they're no longer included in the emailed zip file)

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

@rlfrahm

This comment has been minimized.

Show comment
Hide comment

rlfrahm commented Oct 20, 2015

Thanks!

@Berndinox

This comment has been minimized.

Show comment
Hide comment

thanks!

@MBuffenoir

This comment has been minimized.

Show comment
Hide comment
@MBuffenoir

MBuffenoir Oct 28, 2015

Thanks so much ... works with haproxy too

Thanks so much ... works with haproxy too

@XristMisyris

This comment has been minimized.

Show comment
Hide comment

Thanks!!!!

@MuhClaren

This comment has been minimized.

Show comment
Hide comment
@MuhClaren

MuhClaren Nov 8, 2015

This helped solve my Android / Chrome woes. Thanks a bunch. Also, thanks @b-a-t for the OCSP stapling guide, it worked straight away.

This helped solve my Android / Chrome woes. Thanks a bunch. Also, thanks @b-a-t for the OCSP stapling guide, it worked straight away.

@lubosdz

This comment has been minimized.

Show comment
Hide comment
@lubosdz

lubosdz Nov 26, 2015

Yes, do not add AddTrustExternalCARoot.crt, it's not needed.
For windows users - Bundle certificate can be simply create by manually copying into file ssl-bundle.crt with content:


-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgIQT5ZKyUQaERXKiNTtx3ZaITANBgkqhkiG9w0BAQsFADCB
..... your private key .....
pn5dLjAsP86UWi5J7wD2hvuLbzmUmmnbCs5k4pleb37FU18E6Q1qiexjWYlx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
..... COMODORSADomainValidationSecureServerCA.crt .....
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
..... COMODORSAAddTrustCA.crt ..........
pu/xO28QOG8=
-----END CERTIFICATE-----


if you receive message invalid number of aruments in ssl_cipher then you probably missed semicolon ; at the end of the line (applies to nginx config above by b-a-t, which otherwise works OK).

And preferrably use more ciphers for better support on mobile devices:

ssl_ciphers  'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';

lubosdz commented Nov 26, 2015

Yes, do not add AddTrustExternalCARoot.crt, it's not needed.
For windows users - Bundle certificate can be simply create by manually copying into file ssl-bundle.crt with content:


-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgIQT5ZKyUQaERXKiNTtx3ZaITANBgkqhkiG9w0BAQsFADCB
..... your private key .....
pn5dLjAsP86UWi5J7wD2hvuLbzmUmmnbCs5k4pleb37FU18E6Q1qiexjWYlx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
..... COMODORSADomainValidationSecureServerCA.crt .....
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
..... COMODORSAAddTrustCA.crt ..........
pu/xO28QOG8=
-----END CERTIFICATE-----


if you receive message invalid number of aruments in ssl_cipher then you probably missed semicolon ; at the end of the line (applies to nginx config above by b-a-t, which otherwise works OK).

And preferrably use more ciphers for better support on mobile devices:

ssl_ciphers  'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
@SpencerCooley

This comment has been minimized.

Show comment
Hide comment
@SpencerCooley

SpencerCooley Dec 17, 2015

When I downloaded my certificate the zip file had 3 files, but they were :

my_site.ca-bundle
my_site.crt
my_site.p7b

I am not sure what to do with those files. the crt makes sense to me, but what is the ca-bundle and p7b?

When I downloaded my certificate the zip file had 3 files, but they were :

my_site.ca-bundle
my_site.crt
my_site.p7b

I am not sure what to do with those files. the crt makes sense to me, but what is the ca-bundle and p7b?

@b-a-t

This comment has been minimized.

Show comment
Hide comment
@b-a-t

b-a-t Dec 18, 2015

The ca-bundle file contains concatenated intermediate certificates in x509 PEM format. The p7b seems to contain the same information in the PKCS#7 format, but I couldn't read it with openssl pkcs7 -in command, so it seems to be supported by Windows only and in general is necessary for IIS/Tomcat.

As it was said above, you can get separate intermediate certificates from:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

b-a-t commented Dec 18, 2015

The ca-bundle file contains concatenated intermediate certificates in x509 PEM format. The p7b seems to contain the same information in the PKCS#7 format, but I couldn't read it with openssl pkcs7 -in command, so it seems to be supported by Windows only and in general is necessary for IIS/Tomcat.

As it was said above, you can get separate intermediate certificates from:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

@iamakimmer

This comment has been minimized.

Show comment
Hide comment
@iamakimmer

iamakimmer Feb 2, 2016

Thanks! I come back to this every year the day before the certs expire

Thanks! I come back to this every year the day before the certs expire

@kirkonrails

This comment has been minimized.

Show comment
Hide comment
@kirkonrails

kirkonrails Feb 22, 2016

This is awesome. Thanks so much for posting this!

This is awesome. Thanks so much for posting this!

@ammislam

This comment has been minimized.

Show comment
Hide comment
@ammislam

ammislam Apr 13, 2016

it looks like this guide is to install new cert, I am looking for a guide to renew existing cert which are going to expire. My stack is rails application with nginx + passenger, postgresql db and sidekiq job handlers if they matter.

it looks like this guide is to install new cert, I am looking for a guide to renew existing cert which are going to expire. My stack is rails application with nginx + passenger, postgresql db and sidekiq job handlers if they matter.

@w33zy

This comment has been minimized.

Show comment
Hide comment
@w33zy

w33zy Apr 18, 2016

@ammislan these are the steps you would follow. To 'renew' a cert is to remove the old one and install the new one.

w33zy commented Apr 18, 2016

@ammislan these are the steps you would follow. To 'renew' a cert is to remove the old one and install the new one.

@chozabu

This comment has been minimized.

Show comment
Hide comment
@chozabu

chozabu Apr 18, 2016

Hmm, I've got similar results to @SpencerCooley but my provided files are

STAR_example_com.ca-bundle 
STAR_example_com.crt

This runs fine on my test server just using the crt file - but I wonder if I need to combine them first? (and why?)

chozabu commented Apr 18, 2016

Hmm, I've got similar results to @SpencerCooley but my provided files are

STAR_example_com.ca-bundle 
STAR_example_com.crt

This runs fine on my test server just using the crt file - but I wonder if I need to combine them first? (and why?)

@chozabu

This comment has been minimized.

Show comment
Hide comment
@chozabu

chozabu Apr 18, 2016

@SpencerCooley looks like the info we need is here: https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37

PREREQUISITES: Concatenate the CAbundle and the certificate file which we sent you using the following command.
cat STAR_example_com.crt STAR_example_com.ca-bundle > ssl-bundle.crt

(formatted to be a more exact match for what I actually typed, with domain name checked)

And for more info - using just the original crt file works, but https://www.sslshopper.com/ssl-checker.html mentioned it is missing some trust chain, and some browsers will be unhappy.

After combining the certs as above, everything seems groovy.

chozabu commented Apr 18, 2016

@SpencerCooley looks like the info we need is here: https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37

PREREQUISITES: Concatenate the CAbundle and the certificate file which we sent you using the following command.
cat STAR_example_com.crt STAR_example_com.ca-bundle > ssl-bundle.crt

(formatted to be a more exact match for what I actually typed, with domain name checked)

And for more info - using just the original crt file works, but https://www.sslshopper.com/ssl-checker.html mentioned it is missing some trust chain, and some browsers will be unhappy.

After combining the certs as above, everything seems groovy.

@pmuens

This comment has been minimized.

Show comment
Hide comment
@pmuens

pmuens Apr 21, 2016

Great guide! Thanks man!

pmuens commented Apr 21, 2016

Great guide! Thanks man!

@WesleyRibs

This comment has been minimized.

Show comment
Hide comment

tks !

@Rigoni

This comment has been minimized.

Show comment
Hide comment
@Rigoni

Rigoni Jun 14, 2016

Great tutorial!

But if don't concatenate the AddTrustExternalCARoot.crt file, the site www.ssllabs.com doesn't show the Chain Issues -> Contain Anchor.

I have not concatenate and it shows me Chain Issues -> None.

Rigoni commented Jun 14, 2016

Great tutorial!

But if don't concatenate the AddTrustExternalCARoot.crt file, the site www.ssllabs.com doesn't show the Chain Issues -> Contain Anchor.

I have not concatenate and it shows me Chain Issues -> None.

@viktor-skarlatov

This comment has been minimized.

Show comment
Hide comment
@viktor-skarlatov

viktor-skarlatov Jun 22, 2016

Awesome... Thanks!

Awesome... Thanks!

@lacyrhoades

This comment has been minimized.

Show comment
Hide comment
@lacyrhoades

lacyrhoades Jul 12, 2016

THANK YOU!! The wild world of SSL.

THANK YOU!! The wild world of SSL.

@Scit

This comment has been minimized.

Show comment
Hide comment
@Scit

Scit Jul 22, 2016

Nice! Very clear instructions! Thank you!

Scit commented Jul 22, 2016

Nice! Very clear instructions! Thank you!

@Dethnull

This comment has been minimized.

Show comment
Hide comment
@Dethnull

Dethnull Aug 11, 2016

Dude you rock, I'm going to fork this just so I have a copy. This is what should be displayed on Comodo's site as their instructions were terrible.

Dude you rock, I'm going to fork this just so I have a copy. This is what should be displayed on Comodo's site as their instructions were terrible.

@mattaudesse

This comment has been minimized.

Show comment
Hide comment

Thanks for this @bradmontgomery!

@taniadaniela

This comment has been minimized.

Show comment
Hide comment
@taniadaniela

taniadaniela Sep 9, 2016

These instructions work perfectly for SSL CA generated with register.com, the same order of files to generate the bundle file (just replace Comodo word for the word in your files). Thanks a lot!

taniadaniela commented Sep 9, 2016

These instructions work perfectly for SSL CA generated with register.com, the same order of files to generate the bundle file (just replace Comodo word for the word in your files). Thanks a lot!

@leeaustinadams

This comment has been minimized.

Show comment
Hide comment
@leeaustinadams

leeaustinadams Sep 18, 2016

Thanks for the detailed writeup, I was looking for exactly this!

Thanks for the detailed writeup, I was looking for exactly this!

@evgenosiptsov

This comment has been minimized.

Show comment
Hide comment

Thanks!

@qazwsx9006

This comment has been minimized.

Show comment
Hide comment

Thanks!

@eugenbg

This comment has been minimized.

Show comment
Hide comment
@eugenbg

eugenbg Nov 28, 2016

thank you!

eugenbg commented Nov 28, 2016

thank you!

@ndemoreau

This comment has been minimized.

Show comment
Hide comment
@ndemoreau

ndemoreau Dec 3, 2016

Thank you! You made my day!

Thank you! You made my day!

@tengfei86

This comment has been minimized.

Show comment
Hide comment

Great!

@PriteshJain

This comment has been minimized.

Show comment
Hide comment
@PriteshJain

PriteshJain Dec 31, 2016

Saved my ass today. example_com.crt was working for desktop not for mobile. followed ur steps and now its working perfectly fine.

Saved my ass today. example_com.crt was working for desktop not for mobile. followed ur steps and now its working perfectly fine.

@newcoupon

This comment has been minimized.

Show comment
Hide comment
@newcoupon

newcoupon Feb 26, 2017

Very useful, thanks!

Very useful, thanks!

@dutronlabs

This comment has been minimized.

Show comment
Hide comment
@dutronlabs

dutronlabs Mar 4, 2017

This is amazing. Thank you!!!

This is amazing. Thank you!!!

@p-thurner

This comment has been minimized.

Show comment
Hide comment
@p-thurner

p-thurner Mar 12, 2017

Good howto! There is a "generator" for good SSL configs for nginx and apache. You can specify the version of the webserver and your openssl version:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

p-thurner commented Mar 12, 2017

Good howto! There is a "generator" for good SSL configs for nginx and apache. You can specify the version of the webserver and your openssl version:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

@Mashpy

This comment has been minimized.

Show comment
Hide comment
@Mashpy

Mashpy Mar 30, 2017

Thank you for the solution. I have written a tutorial how to install positive ssl on your website using nginx webserver . Hope it will be helpful.

Mashpy commented Mar 30, 2017

Thank you for the solution. I have written a tutorial how to install positive ssl on your website using nginx webserver . Hope it will be helpful.

@JefferyHus

This comment has been minimized.

Show comment
Hide comment
@JefferyHus

JefferyHus Apr 18, 2017

This works perfectly, thanks.

This works perfectly, thanks.

@markfrst

This comment has been minimized.

Show comment
Hide comment

thx

@jhemarcos

This comment has been minimized.

Show comment
Hide comment

Thanks!

@Stormiix

This comment has been minimized.

Show comment
Hide comment

Thanks !!

@pilgrim2go

This comment has been minimized.

Show comment
Hide comment
@pilgrim2go

pilgrim2go Jun 28, 2017

Many thanks

Many thanks

@JaphethC

This comment has been minimized.

Show comment
Hide comment
@JaphethC

JaphethC Jul 1, 2017

Thank you. This was the exact information I needed for my set up.

JaphethC commented Jul 1, 2017

Thank you. This was the exact information I needed for my set up.

@nitin7dc

This comment has been minimized.

Show comment
Hide comment
@nitin7dc

nitin7dc Aug 3, 2017

thanks :)

nitin7dc commented Aug 3, 2017

thanks :)

@getaclue

This comment has been minimized.

Show comment
Hide comment

thnx!

@jmalone68

This comment has been minimized.

Show comment
Hide comment
@jmalone68

jmalone68 Aug 28, 2017

Thanks for the write-up.
Helped with setting up a Postfix mail server.
I greatly appreciate it.

Thanks for the write-up.
Helped with setting up a Postfix mail server.
I greatly appreciate it.

@Aukhan

This comment has been minimized.

Show comment
Hide comment
@Aukhan

Aukhan Oct 5, 2017

Much Appreciated !
Thanks !

Aukhan commented Oct 5, 2017

Much Appreciated !
Thanks !

@IamJovenD

This comment has been minimized.

Show comment
Hide comment
@IamJovenD

IamJovenD Oct 26, 2017

Hi @bradmontgomery,

Great Tutorial. Thanks for this. :)

I got question, when I use www_example_com.crt COMODORSADomainValidationSecureServerCA.crt 2 files only. Any issue with that?

Not familiar much on certificate but I have a weird issue.

Thanks in advance. Appreciate your response. :)

Hi @bradmontgomery,

Great Tutorial. Thanks for this. :)

I got question, when I use www_example_com.crt COMODORSADomainValidationSecureServerCA.crt 2 files only. Any issue with that?

Not familiar much on certificate but I have a weird issue.

Thanks in advance. Appreciate your response. :)

@lomholdt

This comment has been minimized.

Show comment
Hide comment
@lomholdt

lomholdt Oct 27, 2017

Thanks! Exactly what I was looking for.

Thanks! Exactly what I was looking for.

@floydback

This comment has been minimized.

Show comment
Hide comment

Thanks!

@CrashedBboy

This comment has been minimized.

Show comment
Hide comment
@CrashedBboy

CrashedBboy Nov 3, 2017

Thanks a lot!

Thanks a lot!

@superjose

This comment has been minimized.

Show comment
Hide comment
@superjose

superjose Mar 21, 2018

Shame that Github doesn't have the thumbs up.... @b-a-t! Thanks a bunch your solution worked! And thanks to @bradmontgomery as well for the original post πŸ’ƒ

Shame that Github doesn't have the thumbs up.... @b-a-t! Thanks a bunch your solution worked! And thanks to @bradmontgomery as well for the original post πŸ’ƒ

@hshahdoost

This comment has been minimized.

Show comment
Hide comment
@hshahdoost

hshahdoost Mar 28, 2018

Thanx a lot, just for the record if you happen to face the following error
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl...
make sure that certificates are not sticked together like this
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
nginx can't read this. they should be separated with \r\n (enter).

Thanx a lot, just for the record if you happen to face the following error
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl...
make sure that certificates are not sticked together like this
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
nginx can't read this. they should be separated with \r\n (enter).

@MichaelBrenden

This comment has been minimized.

Show comment
Hide comment
@MichaelBrenden

MichaelBrenden May 8, 2018

Possibly The Best toot online. Helped me solve problem with SSL, Comodo cert, and Stripe -- specifically this error: "SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)" -- odd how comodo, stripe either do not have this info or bury it such that it is useless.

Possibly The Best toot online. Helped me solve problem with SSL, Comodo cert, and Stripe -- specifically this error: "SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)" -- odd how comodo, stripe either do not have this info or bury it such that it is useless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment