Instantly share code, notes, and snippets.

Embed
What would you like to do?
Steps to install a Comodo PositiveSSL certificate with Nginx.

Setting up a SSL Cert from Comodo

I use Namecheap.com as a registrar, and they resale SSL Certs from a number of other companies, including Comodo.

These are the steps I went through to set up an SSL cert.

Purchase the cert

Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr

This gives you two files:

  • example_com.key -- your Private key. You'll need this later to configure ngxinx.
  • example_com.csr -- Your CSR file.

Now, purchase the certificate [1], follow the steps on their site, and you should soon get an email with your PositiveSSL Certificate. It contains a zip file with the following:

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

Install the Commodo SSL cert

Combine everything for nginx [2]:

  1. Combine the above crt files into a bundle (the order matters, here):

    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
    
  2. Store the bundle wherever nginx expects to find it:

    mkdir -p /etc/nginx/ssl/example_com/
    mv ssl-bundle.crt /etc/nginx/ssl/example_com/
    
  3. Ensure your private key is somewhere nginx can read it, as well.:

    mv example_com.key /etc/nginx/ssl/example_com/
    
  4. Make sure your nginx config points to the right cert file and to the private key you generated earlier:

    server {
        listen 443;
    
        ssl on;
        ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;
    
        # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
        # ...
    
    }
    
  1. Restart nginx.
[1]I purchased mine through Namecheap.com.
[2]Based on these instructions: http://goo.gl/4zJc8
@allaire

This comment has been minimized.

allaire commented Jan 24, 2014

Thanks!

@cliftonlabrum

This comment has been minimized.

cliftonlabrum commented Feb 25, 2014

Great tutorial, thank you!

@full-of-foo

This comment has been minimized.

full-of-foo commented Mar 4, 2014

Helpful! 👍

@bscutt

This comment has been minimized.

bscutt commented Mar 16, 2014

Thanks - that was a great help!

@monecchi

This comment has been minimized.

monecchi commented May 26, 2014

Great tutorial it helped me a lot on getting started with the main steps. Thanks! Anyway, sorry for the newbie question, but how am I supposed to execute the commands which will combine the crt files into a bundle? I mean, Do I have to upload the crt files first to the root directory of my server and then execute the command on a terminal app? I use Mac OSX and I use the Terminal.app to ssh on my server

@rmdort

This comment has been minimized.

rmdort commented Jul 21, 2014

To fix Firefox showing This connection is untrusted you need to create the bundle with all these files

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

Additionallly, you can disable SSL 2, in the server{ } block

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

Test your site here https://www.ssllabs.com/ssltest/index.html

@wesmattson

This comment has been minimized.

wesmattson commented Jul 30, 2014

I also used namecheap to purchase my PositiveSSL cert last night. Read what rmdort posted above, that is what finally got this working for me. Thanks rmdort and bradmontgomery!

@minhhahl

This comment has been minimized.

minhhahl commented Aug 5, 2014

I am using COMODO certification. I have done as @rmdort said.

I've run ssltest on web application and it found "Chain issues - Contains anchor" (section "Additional Certificates (if supplied)")

In this link http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor
They said that the root certification (AddTrustExternalCARoot.crt) should not included in ssl-bundle.crt because it is included in client. It is maybe the reason for "Chain issues - Contains anchor".

Does any one have any idea about this point? Should we include root certification or not?

@dltj

This comment has been minimized.

dltj commented Sep 16, 2014

@minhhahl -- For what it's worth, that StackExchange post was right on. I combined the domain's cert, COMODORSADomainValidationSecureServerCA.crt and COMODORSAAddTrustCA.crt into one file (leaving off AddTrustExternalCARoot.crt) and my site passed the SSL labs test.

cat yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt
@rayyoussef

This comment has been minimized.

rayyoussef commented Nov 1, 2014

Do you add BOTH intermediate certs to the bundle???
which first? 1 and then 2?

COMODO RSA Certification Authority
COMODO RSA Domain Validation Secure Server CA

?

@dylanvalade

This comment has been minimized.

dylanvalade commented Jan 15, 2015

My certificate zip included 4 files. I used cat to chain all 4 files together and it worked correctly - a pretty green lock in the browser address bar.
cat domain.crt intermediate1.crt intermediate2.crt authority.crt > domain.chained.crt

Suggested addition to the Gist in response to @dillchuk's comment about verifying:

6. Restart nginx.

Test to see if your new configuration is valid (if test fails to go step 7)
sudo service nginx configtest

If configtest passes without errors then reload
sudo service nginx reload

7. Testing your .key, .csr and chained .crt files with openssl CLI

The output of these three commands should be an identical hash. If one is different, you will see an error when running nginx configtest.

Sample output
Modulus=CC9DE72...99C4564AA985E28877D

Test key
openssl rsa -noout -modulus -in example.com.key

Test CSR
openssl req -noout -modulus -in example.com.csr

Test original crt and bundled crt separately. I find that 50% of the time I've uploaded the wrong .crt (old from same domain) and didn't realize it. The rest of the time it has either bundled the wrong files or the wrong order.
openssl x509 -noout -modulus -in example_com.crt
openssl x509 -noout -modulus -in ssl-bundled.crt

@CCrashBandicot

This comment has been minimized.

CCrashBandicot commented Mar 3, 2015

thanks helpful ! (y)

@reustle

This comment has been minimized.

reustle commented Mar 13, 2015

Thanks @dltj, that works perfectly for fixing the untrusted ssl error on chrome mobile.

@bradmontgomery

This comment has been minimized.

Owner

bradmontgomery commented Mar 14, 2015

Thanks to everyone who's left updated comments, here: @rmdort, @minhhahl, @dltj, @dylanvalade. You've all been a huge help!

I've recently chained all 4 files together, and things seem to be ok, but I do also get the Chain issues Contains anchor warning at the SSL labs test.

cat www_bradmontgomery_net.crt COMODORSADomainValidationSecureServerCA.crt  COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

I've also disabled both SSLv2 and SSLv3, using only TLS in nginx:

# NO SSLv3, it's vulnerable to POODLE, see: http://goo.gl/zS3QXH
ssl_protocols TLSv1 TLSv1.1 TLSv1.2

I should probably update the original document.

@nblavoie

This comment has been minimized.

nblavoie commented Mar 26, 2015

@dbosen

This comment has been minimized.

dbosen commented Mar 26, 2015

Implement Strict Transport Security to get an A+

@cboettig

This comment has been minimized.

cboettig commented Apr 1, 2015

Great help and great thread. I had to add Forward Security:

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

and also add Strict Transport Security:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

to get this to an A+

@dillchuk

This comment has been minimized.

dillchuk commented Apr 15, 2015

Just great, that finally got it. Just wondering, is there a way to test on the CLI? Something like:

openssl verify bundle.crt my.key

@eadz

This comment has been minimized.

eadz commented May 7, 2015

@bradmontgomery I believe that warning is due to adding the 'AddTrustExternalCARoot' which is already included in your browser. Removing that cert removes the warning for me.

@ghuntley

This comment has been minimized.

ghuntley commented May 20, 2015

Handy reference but be aware of the sneaky affiliate link 😄

@dovy

This comment has been minimized.

dovy commented May 25, 2015

So useful. They should just ship us one precompiled like GoDaddy. Bah.

@adam-weber

This comment has been minimized.

adam-weber commented Jun 5, 2015

Very useful, thanks!

@coyotespike

This comment has been minimized.

coyotespike commented Jul 21, 2015

I have like 5 SSL tutorials open right now, and this is the best. Thanks!

@Hates

This comment has been minimized.

Hates commented Jul 28, 2015

Brilliant. Thanks a lot! 👍

@mailmevenkat

This comment has been minimized.

mailmevenkat commented Aug 9, 2015

Thanks a lot! Worked with Websockets (NodeJS) too 👍

@b-a-t

This comment has been minimized.

b-a-t commented Aug 25, 2015

Somehow I keep ending up on this page all the time, so seems it's a popular answer to the problem with Comodo certificates and nginx. Unfortunatelly, with the recent enough(2015) Qualys.com SSL test the given instructions lead either to "Chain issues: Contains anchor" or "Extra download". After a bit more digging I came down to the recipie that makes SSL test happy.

To avoid anchor error you should ommit Root CA certificate from the bundle. So, bundle should contain:

 cat example.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.crt

If you ommit COMODORSAAddTrustCA.crt from the bundle you'll get rid of anchor error, but will get "extra download" warning.

If you want(and you do!) to get OCSP stapling enabled on your server, then you'd need full certificates chain to be available to the server. To work around the problem described above, nginx has another directive that makes certificate known to the server, but not sent to the client - ssl_trusted_certificate.

cat AddTrustExternalCARoot.crt > trusted.crt

And final config should contain those lines:

ssl_protocols                           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                             ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers               on;
ssl_stapling                            on;
ssl_stapling_verify                     on;

ssl_dhparam                             "/etc/nginx/certs/dhparam.pem";
ssl_certificate                         "/etc/nginx/certs/ssl-bundle.crt";
ssl_trusted_certificate                 "/etc/nginx/certs/trusted.crt";
ssl_certificate_key                     "/etc/ssl/private/example.com.key";

ssl_session_cache                       shared:SSL:10m;
ssl_session_timeout                     10m;
  1. How to fix "Chain issues:contains anchor"
  2. ssltest: Chain issues - Contains anchor
  3. How to fix "Extra download"
  4. Multiple certificate paths
  5. What is wrong with my SSL trust chain?
  6. SSL Certificate Chain Resolver - handy tool to build correct certificates chain
@ghost

This comment has been minimized.

ghost commented Sep 12, 2015

Thanks a lot!
It wasn't that easy to come by the correct procedure (by that, I mean, in which order to concatenate the cert files).

@kevindeasis

This comment has been minimized.

kevindeasis commented Sep 12, 2015

is "ssl on" deprecated? and it might be a good idea to have "listen 443 ssl";

@trilobit

This comment has been minimized.

trilobit commented Sep 27, 2015

Thanks a lot! 👍

@abhishesh

This comment has been minimized.

abhishesh commented Sep 28, 2015

Thanks Bro !

@alexandruhera

This comment has been minimized.

alexandruhera commented Oct 8, 2015

Hi guys!

I just got a ssl cert from comodo, but for some reason the chain doesnt work, i've tried every method.
I'm running nginx 1.9.5 with hhvm.

I've made a bundle like this:

cat alexhera_me.crt comodorsadomainvalidationsecureserverca.crt comodorsaaddtrustca.crt > ssl-bundle.crt

and the other one
cat addtrustexternalcaroot.crt > trusted.crt

So,the first one I've added to ssl_certificate in nginx config.
The second is the ssl_trusted_certificate.

But when I save the config file and restart the server I get this error.

  • Restarting nginx nginx nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/ssl-bundle.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
    nginx: configuration file /etc/nginx/nginx.conf test failed
@ianrobrien

This comment has been minimized.

ianrobrien commented Oct 14, 2015

@alexandruhera make sure that your lines end with semicolon ; and that /etc/nginx/ssl/ssl-bundle.crt exists.

You can test config with nginx -t

@natesymer

This comment has been minimized.

natesymer commented Oct 18, 2015

This is where you can get the root & intermediate certs (they're no longer included in the emailed zip file)

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

@rlfrahm

This comment has been minimized.

rlfrahm commented Oct 20, 2015

Thanks!

@Berndinox

This comment has been minimized.

Berndinox commented Oct 21, 2015

thanks!

@MBuffenoir

This comment has been minimized.

MBuffenoir commented Oct 28, 2015

Thanks so much ... works with haproxy too

@XristMisyris

This comment has been minimized.

XristMisyris commented Oct 31, 2015

Thanks!!!!

@MuhClaren

This comment has been minimized.

MuhClaren commented Nov 8, 2015

This helped solve my Android / Chrome woes. Thanks a bunch. Also, thanks @b-a-t for the OCSP stapling guide, it worked straight away.

@lubosdz

This comment has been minimized.

lubosdz commented Nov 26, 2015

Yes, do not add AddTrustExternalCARoot.crt, it's not needed.
For windows users - Bundle certificate can be simply create by manually copying into file ssl-bundle.crt with content:


-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgIQT5ZKyUQaERXKiNTtx3ZaITANBgkqhkiG9w0BAQsFADCB
..... your private key .....
pn5dLjAsP86UWi5J7wD2hvuLbzmUmmnbCs5k4pleb37FU18E6Q1qiexjWYlx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
..... COMODORSADomainValidationSecureServerCA.crt .....
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
..... COMODORSAAddTrustCA.crt ..........
pu/xO28QOG8=
-----END CERTIFICATE-----


if you receive message invalid number of aruments in ssl_cipher then you probably missed semicolon ; at the end of the line (applies to nginx config above by b-a-t, which otherwise works OK).

And preferrably use more ciphers for better support on mobile devices:

ssl_ciphers  'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
@SpencerCooley

This comment has been minimized.

SpencerCooley commented Dec 17, 2015

When I downloaded my certificate the zip file had 3 files, but they were :

my_site.ca-bundle
my_site.crt
my_site.p7b

I am not sure what to do with those files. the crt makes sense to me, but what is the ca-bundle and p7b?

@b-a-t

This comment has been minimized.

b-a-t commented Dec 18, 2015

The ca-bundle file contains concatenated intermediate certificates in x509 PEM format. The p7b seems to contain the same information in the PKCS#7 format, but I couldn't read it with openssl pkcs7 -in command, so it seems to be supported by Windows only and in general is necessary for IIS/Tomcat.

As it was said above, you can get separate intermediate certificates from:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2

@iamakimmer

This comment has been minimized.

iamakimmer commented Feb 2, 2016

Thanks! I come back to this every year the day before the certs expire

@kirkonrails

This comment has been minimized.

kirkonrails commented Feb 22, 2016

This is awesome. Thanks so much for posting this!

@ammislam

This comment has been minimized.

ammislam commented Apr 13, 2016

it looks like this guide is to install new cert, I am looking for a guide to renew existing cert which are going to expire. My stack is rails application with nginx + passenger, postgresql db and sidekiq job handlers if they matter.

@w33zy

This comment has been minimized.

w33zy commented Apr 18, 2016

@ammislan these are the steps you would follow. To 'renew' a cert is to remove the old one and install the new one.

@chozabu

This comment has been minimized.

chozabu commented Apr 18, 2016

Hmm, I've got similar results to @SpencerCooley but my provided files are

STAR_example_com.ca-bundle 
STAR_example_com.crt

This runs fine on my test server just using the crt file - but I wonder if I need to combine them first? (and why?)

@chozabu

This comment has been minimized.

chozabu commented Apr 18, 2016

@SpencerCooley looks like the info we need is here: https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37

PREREQUISITES: Concatenate the CAbundle and the certificate file which we sent you using the following command.
cat STAR_example_com.crt STAR_example_com.ca-bundle > ssl-bundle.crt

(formatted to be a more exact match for what I actually typed, with domain name checked)

And for more info - using just the original crt file works, but https://www.sslshopper.com/ssl-checker.html mentioned it is missing some trust chain, and some browsers will be unhappy.

After combining the certs as above, everything seems groovy.

@pmuens

This comment has been minimized.

pmuens commented Apr 21, 2016

Great guide! Thanks man!

@WesleyRibs

This comment has been minimized.

WesleyRibs commented Jun 14, 2016

tks !

@Rigoni

This comment has been minimized.

Rigoni commented Jun 14, 2016

Great tutorial!

But if don't concatenate the AddTrustExternalCARoot.crt file, the site www.ssllabs.com doesn't show the Chain Issues -> Contain Anchor.

I have not concatenate and it shows me Chain Issues -> None.

@viktor-skarlatov

This comment has been minimized.

viktor-skarlatov commented Jun 22, 2016

Awesome... Thanks!

@lacyrhoades

This comment has been minimized.

lacyrhoades commented Jul 12, 2016

THANK YOU!! The wild world of SSL.

@Scit

This comment has been minimized.

Scit commented Jul 22, 2016

Nice! Very clear instructions! Thank you!

@Dethnull

This comment has been minimized.

Dethnull commented Aug 11, 2016

Dude you rock, I'm going to fork this just so I have a copy. This is what should be displayed on Comodo's site as their instructions were terrible.

@mattaudesse

This comment has been minimized.

mattaudesse commented Aug 19, 2016

Thanks for this @bradmontgomery!

@taniadaniela

This comment has been minimized.

taniadaniela commented Sep 9, 2016

These instructions work perfectly for SSL CA generated with register.com, the same order of files to generate the bundle file (just replace Comodo word for the word in your files). Thanks a lot!

@leeaustinadams

This comment has been minimized.

leeaustinadams commented Sep 18, 2016

Thanks for the detailed writeup, I was looking for exactly this!

@evgenosiptsov

This comment has been minimized.

evgenosiptsov commented Oct 29, 2016

Thanks!

@qazwsx9006

This comment has been minimized.

qazwsx9006 commented Nov 25, 2016

Thanks!

@eugenbg

This comment has been minimized.

eugenbg commented Nov 28, 2016

thank you!

@ndemoreau

This comment has been minimized.

ndemoreau commented Dec 3, 2016

Thank you! You made my day!

@tengfei86

This comment has been minimized.

tengfei86 commented Dec 10, 2016

Great!

@PriteshJain

This comment has been minimized.

PriteshJain commented Dec 31, 2016

Saved my ass today. example_com.crt was working for desktop not for mobile. followed ur steps and now its working perfectly fine.

@newcoupon

This comment has been minimized.

newcoupon commented Feb 26, 2017

Very useful, thanks!

@dutronlabs

This comment has been minimized.

dutronlabs commented Mar 4, 2017

This is amazing. Thank you!!!

@p-thurner

This comment has been minimized.

p-thurner commented Mar 12, 2017

Good howto! There is a "generator" for good SSL configs for nginx and apache. You can specify the version of the webserver and your openssl version:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

@Mashpy

This comment has been minimized.

Mashpy commented Mar 30, 2017

Thank you for the solution. I have written a tutorial how to install positive ssl on your website using nginx webserver . Hope it will be helpful.

@JefferyHus

This comment has been minimized.

JefferyHus commented Apr 18, 2017

This works perfectly, thanks.

@markfrst

This comment has been minimized.

markfrst commented May 23, 2017

thx

@jhemarcos

This comment has been minimized.

jhemarcos commented Jun 8, 2017

Thanks!

@Stormiix

This comment has been minimized.

Stormiix commented Jun 26, 2017

Thanks !!

@pilgrim2go

This comment has been minimized.

pilgrim2go commented Jun 28, 2017

Many thanks

@JaphethC

This comment has been minimized.

JaphethC commented Jul 1, 2017

Thank you. This was the exact information I needed for my set up.

@nitin7dc

This comment has been minimized.

nitin7dc commented Aug 3, 2017

thanks :)

@getaclue

This comment has been minimized.

getaclue commented Aug 12, 2017

thnx!

@jmalone68

This comment has been minimized.

jmalone68 commented Aug 28, 2017

Thanks for the write-up.
Helped with setting up a Postfix mail server.
I greatly appreciate it.

@Aukhan

This comment has been minimized.

Aukhan commented Oct 5, 2017

Much Appreciated !
Thanks !

@IamJovenD

This comment has been minimized.

IamJovenD commented Oct 26, 2017

Hi @bradmontgomery,

Great Tutorial. Thanks for this. :)

I got question, when I use www_example_com.crt COMODORSADomainValidationSecureServerCA.crt 2 files only. Any issue with that?

Not familiar much on certificate but I have a weird issue.

Thanks in advance. Appreciate your response. :)

@lomholdt

This comment has been minimized.

lomholdt commented Oct 27, 2017

Thanks! Exactly what I was looking for.

@floydback

This comment has been minimized.

floydback commented Oct 28, 2017

Thanks!

@CrashedBboy

This comment has been minimized.

CrashedBboy commented Nov 3, 2017

Thanks a lot!

@superjose

This comment has been minimized.

superjose commented Mar 21, 2018

Shame that Github doesn't have the thumbs up.... @b-a-t! Thanks a bunch your solution worked! And thanks to @bradmontgomery as well for the original post 💃

@hshahdoost

This comment has been minimized.

hshahdoost commented Mar 28, 2018

Thanx a lot, just for the record if you happen to face the following error
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl...
make sure that certificates are not sticked together like this
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
nginx can't read this. they should be separated with \r\n (enter).

@MichaelBrenden

This comment has been minimized.

MichaelBrenden commented May 8, 2018

Possibly The Best toot online. Helped me solve problem with SSL, Comodo cert, and Stripe -- specifically this error: "SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)" -- odd how comodo, stripe either do not have this info or bury it such that it is useless.

@bobo101

This comment has been minimized.

bobo101 commented Sep 4, 2018

Thanks a lot!

@mrsamirmh

This comment has been minimized.

mrsamirmh commented Sep 5, 2018

I am getting ERR_CONNECTION_CLOSED on Comodo free ssl certificate. Any solution ?

@Open-Asset

This comment has been minimized.

Open-Asset commented Sep 13, 2018

Same issues here on one fresh server......

I am getting ERR_CONNECTION_CLOSED on Comodo free ssl certificate. Any solution ?

Same issues here on one fresh server......

@learnbybit

This comment has been minimized.

learnbybit commented Sep 21, 2018

you're awesome man !

@atish-abhang

This comment has been minimized.

atish-abhang commented Oct 14, 2018

Thanks man..!

@czaryas

This comment has been minimized.

czaryas commented Nov 27, 2018

thanks a lot, man ....!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment