Instantly share code, notes, and snippets.

Embed
What would you like to do?
Steps to install a Comodo PositiveSSL certificate with Nginx.

Setting up a SSL Cert from Comodo

I use Namecheap.com as a registrar, and they resale SSL Certs from a number of other companies, including Comodo.

These are the steps I went through to set up an SSL cert.

Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx [2]:

  1. Combine the above crt files into a bundle (the order matters, here):

    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
    
  2. Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
    mv ssl-bundle.crt /etc/nginx/ssl/example_com/
    
  3. Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/
    
  4. Make sure your nginx config points to the right cert file and to the private key you generated earlier:

    server {
        listen 443;
    
        ssl on;
        ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;
    
        # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
        # ...
    
    }
    
  1. Restart nginx.
[1]I purchased mine through Namecheap.com.
[2]Based on these instructions: http://goo.gl/4zJc8
@allaire

This comment has been minimized.

Copy link

allaire commented Jan 24, 2014

Thanks!

@cliftonlabrum

This comment has been minimized.

Copy link

cliftonlabrum commented Feb 25, 2014

Great tutorial, thank you!

@full-of-foo

This comment has been minimized.

Copy link

full-of-foo commented Mar 4, 2014

Helpful! 👍

@bscutt

This comment has been minimized.

Copy link

bscutt commented Mar 16, 2014

Thanks - that was a great help!

@monecchi

This comment has been minimized.

Copy link

monecchi commented May 26, 2014

Great tutorial it helped me a lot on getting started with the main steps. Thanks! Anyway, sorry for the newbie question, but how am I supposed to execute the commands which will combine the crt files into a bundle? I mean, Do I have to upload the crt files first to the root directory of my server and then execute the command on a terminal app? I use Mac OSX and I use the Terminal.app to ssh on my server

@rmdort

This comment has been minimized.

Copy link

rmdort commented Jul 21, 2014

To fix Firefox showing This connection is untrusted you need to create the bundle with all these files

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

Additionallly, you can disable SSL 2, in the server{ } block

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

Test your site here https://www.ssllabs.com/ssltest/index.html

@wesmattson

This comment has been minimized.

Copy link

wesmattson commented Jul 30, 2014

I also used namecheap to purchase my PositiveSSL cert last night. Read what rmdort posted above, that is what finally got this working for me. Thanks rmdort and bradmontgomery!

@minhhahl

This comment has been minimized.

Copy link

minhhahl commented Aug 5, 2014

I am using COMODO certification. I have done as @rmdort said.

I've run ssltest on web application and it found "Chain issues - Contains anchor" (section "Additional Certificates (if supplied)")

In this link http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor
They said that the root certification (AddTrustExternalCARoot.crt) should not included in ssl-bundle.crt because it is included in client. It is maybe the reason for "Chain issues - Contains anchor".

Does any one have any idea about this point? Should we include root certification or not?

@dltj

This comment has been minimized.

Copy link

dltj commented Sep 16, 2014

@minhhahl -- For what it's worth, that StackExchange post was right on. I combined the domain's cert, COMODORSADomainValidationSecureServerCA.crt and COMODORSAAddTrustCA.crt into one file (leaving off AddTrustExternalCARoot.crt) and my site passed the SSL labs test.

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt
@rayyoussef

This comment has been minimized.

Copy link

rayyoussef commented Nov 1, 2014

Do you add BOTH intermediate certs to the bundle???
which first? 1 and then 2?

COMODO RSA Certification Authority
COMODO RSA Domain Validation Secure Server CA

?

@dylanvalade

This comment has been minimized.

Copy link

dylanvalade commented Jan 15, 2015

My certificate zip included 4 files. I used cat to chain all 4 files together and it worked correctly - a pretty green lock in the browser address bar.
cat domain.crt intermediate1.crt intermediate2.crt authority.crt > domain.chained.crt

Suggested addition to the Gist in response to @dillchuk's comment about verifying:

6. Restart nginx.

Test to see if your new configuration is valid (if test fails to go step 7)
sudo service nginx configtest

If configtest passes without errors then reload
sudo service nginx reload

7. Testing your .key, .csr and chained .crt files with openssl CLI

The output of these three commands should be an identical hash. If one is different, you will see an error when running nginx configtest.

Sample output
Modulus=CC9DE72...99C4564AA985E28877D

Test key
openssl rsa -noout -modulus -in example.com.key

Test CSR
openssl req -noout -modulus -in example.com.csr

Test original crt and bundled crt separately. I find that 50% of the time I've uploaded the wrong .crt (old from same domain) and didn't realize it. The rest of the time it has either bundled the wrong files or the wrong order.
openssl x509 -noout -modulus -in example_com.crt
openssl x509 -noout -modulus -in ssl-bundled.crt

@CCrashBandicot

This comment has been minimized.

Copy link

CCrashBandicot commented Mar 3, 2015

thanks helpful ! (y)

@reustle

This comment has been minimized.

Copy link

reustle commented Mar 13, 2015

Thanks @dltj, that works perfectly for fixing the untrusted ssl error on chrome mobile.

@bradmontgomery

This comment has been minimized.

Copy link
Owner Author

bradmontgomery commented Mar 14, 2015

Thanks to everyone who's left updated comments, here: @rmdort, @minhhahl, @dltj, @dylanvalade. You've all been a huge help!

I've recently chained all 4 files together, and things seem to be ok, but I do also get the Chain issues Contains anchor warning at the SSL labs test.

cat www_bradmontgomery_net.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

I've also disabled both SSLv2 and SSLv3, using only TLS in nginx:

# NO SSLv3, it's vulnerable to POODLE, see: http://goo.gl/zS3QXH
ssl_protocols TLSv1 TLSv1.1 TLSv1.2

I should probably update the original document.

@nblavoie

This comment has been minimized.

Copy link

nblavoie commented Mar 26, 2015

@dbosen

This comment has been minimized.

Copy link

dbosen commented Mar 26, 2015

Implement Strict Transport Security to get an A+

@cboettig

This comment has been minimized.

Copy link

cboettig commented Apr 1, 2015

Great help and great thread. I had to add Forward Security:

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

and also add Strict Transport Security:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

to get this to an A+

@dillchuk

This comment has been minimized.

Copy link

dillchuk commented Apr 15, 2015

Just great, that finally got it. Just wondering, is there a way to test on the CLI? Something like:

openssl verify bundle.crt my.key

@eadz

This comment has been minimized.

Copy link

eadz commented May 7, 2015

@bradmontgomery I believe that warning is due to adding the 'AddTrustExternalCARoot' which is already included in your browser. Removing that cert removes the warning for me.

@ghuntley

This comment has been minimized.

Copy link

ghuntley commented May 20, 2015

Handy reference but be aware of the sneaky affiliate link 😄

@dovy

This comment has been minimized.

Copy link

dovy commented May 25, 2015

So useful. They should just ship us one precompiled like GoDaddy. Bah.

@adam-weber

This comment has been minimized.

Copy link

adam-weber commented Jun 5, 2015

Very useful, thanks!

@coyotespike

This comment has been minimized.

Copy link

coyotespike commented Jul 21, 2015

I have like 5 SSL tutorials open right now, and this is the best. Thanks!

@Hates

This comment has been minimized.

Copy link

Hates commented Jul 28, 2015

Brilliant. Thanks a lot! 👍

@mailmevenkat

This comment has been minimized.

Copy link

mailmevenkat commented Aug 9, 2015

Thanks a lot! Worked with Websockets (NodeJS) too 👍

@b-a-t

This comment has been minimized.

Copy link

b-a-t commented Aug 25, 2015

Somehow I keep ending up on this page all the time, so seems it's a popular answer to the problem with Comodo certificates and nginx. Unfortunatelly, with the recent enough(2015) Qualys.com SSL test the given instructions lead either to "Chain issues: Contains anchor" or "Extra download". After a bit more digging I came down to the recipie that makes SSL test happy.

To avoid anchor error you should ommit Root CA certificate from the bundle. So, bundle should contain:

 cat example.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt

If you ommit COMODORSAAddTrustCA.crt from the bundle you'll get rid of anchor error, but will get "extra download" warning.

If you want(and you do!) to get OCSP stapling enabled on your server, then you'd need full certificates chain to be available to the server. To work around the problem described above, nginx has another directive that makes certificate known to the server, but not sent to the client - ssl_trusted_certificate.

cat AddTrustExternalCARoot.crt > trusted.crt

And final config should contain those lines:

ssl_protocols                           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                             ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers               on;
ssl_stapling                            on;
ssl_stapling_verify                     on;

ssl_dhparam                             "/etc/nginx/certs/dhparam.pem";
ssl_certificate                         "/etc/nginx/certs/ssl-bundle.crt";
ssl_trusted_certificate                 "/etc/nginx/certs/trusted.crt";
ssl_certificate_key                     "/etc/ssl/private/example.com.key";

ssl_session_cache                       shared:SSL:10m;
ssl_session_timeout                     10m;
  1. How to fix "Chain issues:contains anchor"
  2. ssltest: Chain issues - Contains anchor
  3. How to fix "Extra download"
  4. Multiple certificate paths
  5. What is wrong with my SSL trust chain?
  6. SSL Certificate Chain Resolver - handy tool to build correct certificates chain
@ghost

This comment has been minimized.

Copy link

ghost commented Sep 12, 2015

Thanks a lot!
It wasn't that easy to come by the correct procedure (by that, I mean, in which order to concatenate the cert files).

@kevindeasis

This comment has been minimized.

Copy link

kevindeasis commented Sep 12, 2015

is "ssl on" deprecated? and it might be a good idea to have "listen 443 ssl";

@trilobit

This comment has been minimized.

Copy link

trilobit commented Sep 27, 2015

Thanks a lot! 👍

@abhishesh

This comment has been minimized.

Copy link

abhishesh commented Sep 28, 2015

Thanks Bro !

@alexandruhera

This comment has been minimized.

Copy link

alexandruhera commented Oct 8, 2015

Hi guys!

I just got a ssl cert from comodo, but for some reason the chain doesnt work, i've tried every method.
I'm running nginx 1.9.5 with hhvm.

I've made a bundle like this:

cat alexhera_me.crt comodorsadomainvalidationsecureserverca.crt comodorsaaddtrustca.crt > ssl-bundle.crt

and the other one
cat addtrustexternalcaroot.crt > trusted.crt

So,the first one I've added to ssl_certificate in nginx config.
The second is the ssl_trusted_certificate.

But when I save the config file and restart the server I get this error.

  • Restarting nginx nginx nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/ssl-bundle.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
    nginx: configuration file /etc/nginx/nginx.conf test failed
@ianrobrien

This comment has been minimized.

Copy link

ianrobrien commented Oct 14, 2015

@alexandruhera make sure that your lines end with semicolon ; and that /etc/nginx/ssl/ssl-bundle.crt exists.

You can test config with nginx -t

@natesymer

This comment has been minimized.

Copy link

natesymer commented Oct 18, 2015

This is where you can get the root & intermediate certs (they're no longer included in the emailed zip file)

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

@rlfrahm

This comment has been minimized.

Copy link

rlfrahm commented Oct 20, 2015

Thanks!

@Berndinox

This comment has been minimized.

Copy link

Berndinox commented Oct 21, 2015

thanks!

@MBuffenoir

This comment has been minimized.

Copy link

MBuffenoir commented Oct 28, 2015

Thanks so much ... works with haproxy too

@XristMisyris

This comment has been minimized.

Copy link

XristMisyris commented Oct 31, 2015

Thanks!!!!

@MuhClaren

This comment has been minimized.

Copy link

MuhClaren commented Nov 8, 2015

This helped solve my Android / Chrome woes. Thanks a bunch. Also, thanks @b-a-t for the OCSP stapling guide, it worked straight away.

@lubosdz

This comment has been minimized.

Copy link

lubosdz commented Nov 26, 2015

Yes, do not add AddTrustExternalCARoot.crt, it's not needed.
For windows users - Bundle certificate can be simply create by manually copying into file ssl-bundle.crt with content:


-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgIQT5ZKyUQaERXKiNTtx3ZaITANBgkqhkiG9w0BAQsFADCB
..... your private key .....
pn5dLjAsP86UWi5J7wD2hvuLbzmUmmnbCs5k4pleb37FU18E6Q1qiexjWYlx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
..... COMODORSADomainValidationSecureServerCA.crt .....
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
..... COMODORSAAddTrustCA.crt ..........
pu/xO28QOG8=
-----END CERTIFICATE-----


if you receive message invalid number of aruments in ssl_cipher then you probably missed semicolon ; at the end of the line (applies to nginx config above by b-a-t, which otherwise works OK).

And preferrably use more ciphers for better support on mobile devices:

ssl_ciphers  'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
@SpencerCooley

This comment has been minimized.

Copy link

SpencerCooley commented Dec 17, 2015

When I downloaded my certificate the zip file had 3 files, but they were :

my_site.ca-bundle
my_site.crt
my_site.p7b

I am not sure what to do with those files. the crt makes sense to me, but what is the ca-bundle and p7b?

@b-a-t

This comment has been minimized.

Copy link

b-a-t commented Dec 18, 2015

The ca-bundle file contains concatenated intermediate certificates in x509 PEM format. The p7b seems to contain the same information in the PKCS#7 format, but I couldn't read it with openssl pkcs7 -in command, so it seems to be supported by Windows only and in general is necessary for IIS/Tomcat.

As it was said above, you can get separate intermediate certificates from:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

@iamakimmer

This comment has been minimized.

Copy link

iamakimmer commented Feb 2, 2016

Thanks! I come back to this every year the day before the certs expire

@kirkonrails

This comment has been minimized.

Copy link

kirkonrails commented Feb 22, 2016

This is awesome. Thanks so much for posting this!

@ammislam

This comment has been minimized.

Copy link

ammislam commented Apr 13, 2016

it looks like this guide is to install new cert, I am looking for a guide to renew existing cert which are going to expire. My stack is rails application with nginx + passenger, postgresql db and sidekiq job handlers if they matter.

@w33zy

This comment has been minimized.

Copy link

w33zy commented Apr 18, 2016

@ammislan these are the steps you would follow. To 'renew' a cert is to remove the old one and install the new one.

@chozabu

This comment has been minimized.

Copy link

chozabu commented Apr 18, 2016

Hmm, I've got similar results to @SpencerCooley but my provided files are

STAR_example_com.ca-bundle 
STAR_example_com.crt

This runs fine on my test server just using the crt file - but I wonder if I need to combine them first? (and why?)

@chozabu

This comment has been minimized.

Copy link

chozabu commented Apr 18, 2016

@SpencerCooley looks like the info we need is here: https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37

PREREQUISITES: Concatenate the CAbundle and the certificate file which we sent you using the following command.
cat STAR_example_com.crt STAR_example_com.ca-bundle > ssl-bundle.crt

(formatted to be a more exact match for what I actually typed, with domain name checked)

And for more info - using just the original crt file works, but https://www.sslshopper.com/ssl-checker.html mentioned it is missing some trust chain, and some browsers will be unhappy.

After combining the certs as above, everything seems groovy.

@pmuens

This comment has been minimized.

Copy link

pmuens commented Apr 21, 2016

Great guide! Thanks man!

@WesleyRibs

This comment has been minimized.

Copy link

WesleyRibs commented Jun 14, 2016

tks !

@Rigoni

This comment has been minimized.

Copy link

Rigoni commented Jun 14, 2016

Great tutorial!

But if don't concatenate the AddTrustExternalCARoot.crt file, the site www.ssllabs.com doesn't show the Chain Issues -> Contain Anchor.

I have not concatenate and it shows me Chain Issues -> None.

@viktor-skarlatov

This comment has been minimized.

Copy link

viktor-skarlatov commented Jun 22, 2016

Awesome... Thanks!

@lacyrhoades

This comment has been minimized.

Copy link

lacyrhoades commented Jul 12, 2016

THANK YOU!! The wild world of SSL.

@Scit

This comment has been minimized.

Copy link

Scit commented Jul 22, 2016

Nice! Very clear instructions! Thank you!

@Dethnull

This comment has been minimized.

Copy link

Dethnull commented Aug 11, 2016

Dude you rock, I'm going to fork this just so I have a copy. This is what should be displayed on Comodo's site as their instructions were terrible.

@mattaudesse

This comment has been minimized.

Copy link

mattaudesse commented Aug 19, 2016

Thanks for this @bradmontgomery!

@taniadaniela

This comment has been minimized.

Copy link

taniadaniela commented Sep 9, 2016

These instructions work perfectly for SSL CA generated with register.com, the same order of files to generate the bundle file (just replace Comodo word for the word in your files). Thanks a lot!

@leeaustinadams

This comment has been minimized.

Copy link

leeaustinadams commented Sep 18, 2016

Thanks for the detailed writeup, I was looking for exactly this!

@evgenosiptsov

This comment has been minimized.

Copy link

evgenosiptsov commented Oct 29, 2016

Thanks!

@qazwsx9006

This comment has been minimized.

Copy link

qazwsx9006 commented Nov 25, 2016

Thanks!

@eugenbg

This comment has been minimized.

Copy link

eugenbg commented Nov 28, 2016

thank you!

@ndemoreau

This comment has been minimized.

Copy link

ndemoreau commented Dec 3, 2016

Thank you! You made my day!

@tengfei86

This comment has been minimized.

Copy link

tengfei86 commented Dec 10, 2016

Great!

@PriteshJain

This comment has been minimized.

Copy link

PriteshJain commented Dec 31, 2016

Saved my ass today. example_com.crt was working for desktop not for mobile. followed ur steps and now its working perfectly fine.

@newcoupon

This comment has been minimized.

Copy link

newcoupon commented Feb 26, 2017

Very useful, thanks!

@dutronlabs

This comment has been minimized.

Copy link

dutronlabs commented Mar 4, 2017

This is amazing. Thank you!!!

@p-thurner

This comment has been minimized.

Copy link

p-thurner commented Mar 12, 2017

Good howto! There is a "generator" for good SSL configs for nginx and apache. You can specify the version of the webserver and your openssl version:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

@Mashpy

This comment has been minimized.

Copy link

Mashpy commented Mar 30, 2017

Thank you for the solution. I have written a tutorial how to install positive ssl on your website using nginx webserver . Hope it will be helpful.

@JefferyHus

This comment has been minimized.

Copy link

JefferyHus commented Apr 18, 2017

This works perfectly, thanks.

@markfrst

This comment has been minimized.

Copy link

markfrst commented May 23, 2017

thx

@jhemarcos

This comment has been minimized.

Copy link

jhemarcos commented Jun 8, 2017

Thanks!

@Stormiix

This comment has been minimized.

Copy link

Stormiix commented Jun 26, 2017

Thanks !!

@pilgrim2go

This comment has been minimized.

Copy link

pilgrim2go commented Jun 28, 2017

Many thanks

@JaphethC

This comment has been minimized.

Copy link

JaphethC commented Jul 1, 2017

Thank you. This was the exact information I needed for my set up.

@nitin7dc

This comment has been minimized.

Copy link

nitin7dc commented Aug 3, 2017

thanks :)

@getaclue

This comment has been minimized.

Copy link

getaclue commented Aug 12, 2017

thnx!

@jmalone68

This comment has been minimized.

Copy link

jmalone68 commented Aug 28, 2017

Thanks for the write-up.
Helped with setting up a Postfix mail server.
I greatly appreciate it.

@Aukhan

This comment has been minimized.

Copy link

Aukhan commented Oct 5, 2017

Much Appreciated !
Thanks !

@IamJovenD

This comment has been minimized.

Copy link

IamJovenD commented Oct 26, 2017

Hi @bradmontgomery,

Great Tutorial. Thanks for this. :)

I got question, when I use www_example_com.crt COMODORSADomainValidationSecureServerCA.crt 2 files only. Any issue with that?

Not familiar much on certificate but I have a weird issue.

Thanks in advance. Appreciate your response. :)

@lomholdt

This comment has been minimized.

Copy link

lomholdt commented Oct 27, 2017

Thanks! Exactly what I was looking for.

@floydback

This comment has been minimized.

Copy link

floydback commented Oct 28, 2017

Thanks!

@CrashedBboy

This comment has been minimized.

Copy link

CrashedBboy commented Nov 3, 2017

Thanks a lot!

@superjose

This comment has been minimized.

Copy link

superjose commented Mar 21, 2018

Shame that Github doesn't have the thumbs up.... @b-a-t! Thanks a bunch your solution worked! And thanks to @bradmontgomery as well for the original post 💃

@hshahdoost

This comment has been minimized.

Copy link

hshahdoost commented Mar 28, 2018

Thanx a lot, just for the record if you happen to face the following error
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl...
make sure that certificates are not sticked together like this
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
nginx can't read this. they should be separated with \r\n (enter).

@MichaelBrenden

This comment has been minimized.

Copy link

MichaelBrenden commented May 8, 2018

Possibly The Best toot online. Helped me solve problem with SSL, Comodo cert, and Stripe -- specifically this error: "SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)" -- odd how comodo, stripe either do not have this info or bury it such that it is useless.

@bobo101

This comment has been minimized.

Copy link

bobo101 commented Sep 4, 2018

Thanks a lot!

@mrsamirmh

This comment has been minimized.

Copy link

mrsamirmh commented Sep 5, 2018

I am getting ERR_CONNECTION_CLOSED on Comodo free ssl certificate. Any solution ?

@Open-Asset

This comment has been minimized.

Copy link

Open-Asset commented Sep 13, 2018

Same issues here on one fresh server......

I am getting ERR_CONNECTION_CLOSED on Comodo free ssl certificate. Any solution ?

Same issues here on one fresh server......

@learnbybit

This comment has been minimized.

Copy link

learnbybit commented Sep 21, 2018

you're awesome man !

@atish-abhang

This comment has been minimized.

Copy link

atish-abhang commented Oct 14, 2018

Thanks man..!

@czaryas

This comment has been minimized.

Copy link

czaryas commented Nov 27, 2018

thanks a lot, man ....!!

@VireshDoshi

This comment has been minimized.

Copy link

VireshDoshi commented Feb 19, 2019

Very clear

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment