> On 27 Nov 2015, at 17:14, Maxim Dounin <[email protected]> wrote: > > Hello! > > On Fri, Nov 27, 2015 at 04:54:29PM +0100, Nicholas Wieland wrote: > >> it's the first time I configure an SSL certificate on my development machine >> (I'm no sysadmin - I need SSL to work with facebook). I decided to go with >> ngingx proxying a ruby sinatra application, nothing fancy. >> >> This is the error I get when Facebook tries to connect to my HTTP server. >> AFAIK nginx is the culprit here: >> >> 2015/11/26 15:42:03 [info] 42872#0: *3 SSL_do_handshake() failed (SSL: >> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert >> number 48) while SSL handshaking, client: 31.13.113.70, server: 0.0.0.0:4567 >> >> This is what I did: >> >> Downloaded the cert (a .key, a .crt and a .csr) from RapidSSL >> Downloaded the trusted cert from RapidSSL >> (https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem) >> and saved locally under /etc/ssl/cert/ >> Installed locally nginx and configured like this: >> https://gist.github.com/ngw/f97adc4194b08ea355c8 >> Restarted both nginx and puma respectively on port 4567 and 8080 >> >> Went to https://sandbox.thing.it, the app responded as expected, the >> connection was encrypted and the certificate appears to be the correct one. >> >> Went to Facebook and attempted to register a new page subscription >> (https://developers.facebook.com/docs/graph-api/webhooks/v2.2). Had the >> error reported on the top (SSL_do_handshake() failed) when Facebook >> attempted to validate my callback url >> >> Any suggestion? > > Make sure to properly configure certificate chains, see > http://nginx.org/en/docs/http/configuring_https_servers.html#chains > <http://nginx.org/en/docs/http/configuring_https_servers.html#chains> > for details.
I’m not entirely sure I understand why I need a certificate chain. The .crt file is what the provider sent me, that’s what I use. Should I “chain” the .crt file the provider sent me with the RapidSSL bundle? This is for testing and development, I don’t really care about performances, a slow solution is perfectly fine ngw
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
