Check that you have both the certificate and any intermediate certificates in your pem file - you can skip the top-most CA certificates as those are generally included in your browser's CA store - but the intermediates are not.
I believe Nginx wants certs ordered from bottom-most (your cert) to top-most (ca's cert) - it used to be picky about that I haven't retried the ordering in a long while. On Sun, Jun 19, 2016 at 5:09 AM, Francis Daly <[email protected]> wrote: > On Sat, Jun 18, 2016 at 11:29:49AM +0300, Andrey Novikov wrote: > > Hi there, > > > We've successfully configured interaction with two of these systems > > (all with mutual TLS), and when pointed another one to this server > > we've got next message in the error.log (log level for error log is > > set to debug): > > > > 2016/06/16 18:07:55 [info] 21742#0: *179610 SSL_do_handshake() failed > > (SSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > > certificate:SSL alert number 42) while SSL handshaking, client: > > 10.117.252.168, server: 0.0.0.0:8443 > > > > What can cause this message? How to debug it? > > I think that this message (can|does) mean that the far side did not like > something about your certificate. > > If that is the case - are there any logs on the thing connecting to > nginx about what it thinks happened in the TLS negotiation? > > Cheers, > > f > -- > Francis Daly [email protected] > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
