Hello! On Fri, Nov 27, 2015 at 04:54:29PM +0100, Nicholas Wieland wrote:
> it's the first time I configure an SSL certificate on my development machine > (I'm no sysadmin - I need SSL to work with facebook). I decided to go with > ngingx proxying a ruby sinatra application, nothing fancy. > > This is the error I get when Facebook tries to connect to my HTTP server. > AFAIK nginx is the culprit here: > > 2015/11/26 15:42:03 [info] 42872#0: *3 SSL_do_handshake() failed (SSL: > error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert > number 48) while SSL handshaking, client: 31.13.113.70, server: 0.0.0.0:4567 > > This is what I did: > > Downloaded the cert (a .key, a .crt and a .csr) from RapidSSL > Downloaded the trusted cert from RapidSSL > (https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem) > and saved locally under /etc/ssl/cert/ > Installed locally nginx and configured like this: > https://gist.github.com/ngw/f97adc4194b08ea355c8 > Restarted both nginx and puma respectively on port 4567 and 8080 > > Went to https://sandbox.thing.it, the app responded as expected, the > connection was encrypted and the certificate appears to be the correct one. > > Went to Facebook and attempted to register a new page subscription > (https://developers.facebook.com/docs/graph-api/webhooks/v2.2). Had the error > reported on the top (SSL_do_handshake() failed) when Facebook attempted to > validate my callback url > > Any suggestion? Make sure to properly configure certificate chains, see http://nginx.org/en/docs/http/configuring_https_servers.html#chains for details. Note well that if you have no experience with SSL configuration, it's a good idea to avoid configuring anything but ssl_certificate and ssl_certificate_key (and ssl_session_cache for performance reasons). That is, remove (or comment out) all other ssl_* directives in your configuration (including ssl_stapling, ssl_stapling_verify, ssl_prefer_server_ciphers, ssl_protocols, ssl_ciphers) unless you'll get it working. You can re-add these directives later if needed. The error you are seeing is likely unrelated, but it's generally better approach anyway. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
