New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Setting Up AlphaSSL with Nginx
I just brought an alphassl wildcard from IPXcore( @Damian ).However i am having some certificate issues according to ssllabs (Chain issues and extra download)
Can anyone who use alphassl wildcard share how they set it up with Nginx
ssl_certificate /etc/ssl/filterbypass.me.crt; #(or .pem)
ssl_certificate_key /etc/ssl/filterbypass.me.key.nopass;
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_trusted_certificate /etc/ssl/trustchain.crt;
#resolver 8.8.8.8 8.8.4.4;
I am not able to setup oscp stapling since the trustchain is wrong...can anyone tell me which certificate to concatenate for the trustchain.
It would be real nice if someone could share his nginx conf so that i can
Thanked by 1ipxadam
Comments
Edit: nevermind
I'm not sure if you can even avoid the extra download issue and still have it work in all browsers.
@perennate
Certificate already works but i want to fix all chain issues reported by ssllabs + setup oscp stapling
@ipxadam
Maybe you can help me out since ipxcore uses alphassl and has no issues according to ssllabs report
You need to concatenate the certificate labeled "AlphaSSL SHA-1 G2 Intermediate Certificates", under "SHA-1 Orders June 26, 2011 and After" available from [1], to your own certificate. It will be something like this, in the end: [2].
I am still working on my nginx SSL config, but currently I have something like [3], based on configs from several websites I have been visiting.In this file, " domain.bundle.crt" is the file created by concatenating your domain certificate with the intermediate certificate, as described above. "domain.trusted.crt" is made by concatenating GlobalSign root certificate, available from [4] under "GlobalSign Root R1
SHA1 • RSA • 2048" with AlphaSSL intermediate certificate used above. Something like [5].
Hope this helps, and I am also open to suggestions to improve my settings.
Edit: Improve links formatting.
@qrwteyrutiyoup
I originally tried with "SHA-256 Orders March 31, 2014 and After" since i ordered the ssl yesterday but i will try with the "SHA-1 Orders June 26, 2011 and After" as well
@khav I had the same problem, then I checked the certificate and it said "Signature Algorithm: sha1WithRSAEncryption", then I realized I had to use the other certificate
@qrwteyrutiyoup
You are a life saver mate....i struggle for hours with this
I had to use the "SHA-1 Orders June 26, 2011 and After"
Now i have a perfect report with ssllabs with maximum compatibility
https://www.ssllabs.com/ssltest/analyze.html?d=filterbypass.me
Thanks so much mate
To get this to work in all browsers you need to merge the CRT and trust CRT.
Run:
cat mycertificate.crt trustcert.crt >> bundle.crt
Change the above command as required then change config. (Remember you no longer need the trust/client certificate in config.
That works for me. Let me know if you have any issues.
Same here. It was a bit of a mess when I first set everything up.
When I first tried setting it up, I was using the SHA256 certs, but it turned out the cert I was issued was SHA1. No idea if you can specify the hash or not though.