On Mon, Oct 11, 2010 at 11:41 PM, Dave Thompson <[email protected]>wrote:
> > From: [email protected] On Behalf Of Ariel > > Sent: Monday, 11 October, 2010 20:05 > > > I have a site (Rails app) that I'm trying to setup with SSL > > and SSL Client Certificate (using nginx). > > I bought a wildcard one-domain certificate at GoDaddy in order > > to support multiple subdomains to my site: *.mysite.com > > > I downloaded the cert file and the bundle file; combined them into > > one single cert and setup my nginx SSL directives to use it as suggested > here [1]. > > > Then I try to verify my setup using the openssl command line tool > and I got this: > > > $ openssl s_client -connect mysite.com:443 -showcerts > > CONNECTED(00000003) > > depth=3 /L=ValiCert Validation Network/O=ValiCert, > Inc./OU=ValiCert > Class 2 Policy Validation > Authority/CN=http://www.valicert.com//[email protected] > > verify error:num=19:self signed certificate in certificate chain > > verify return:0 > > --- > > Certificate chain > <snipped> > > Looks right, but you have to give s_client the root(s) to verify against. > It does NOT automatically default, at least not in the standard distro. > > Get your desired root cert -- ValiCert Class 2 Policy Validation Authority > -- > in a file in PEM format and give s_client -CAfile filename . > (There are other ways to do this, but that's simplest.) > > Or test from a browser that comes with 'mainstream' CAs builtin. > Even if your app doesn't talk HTTP, the browser should complete > the SSL connection successfully before it gets an HTTP error. > The two I have to hand, IE7 and FF3.6, do appear to include this CA. > That is a good place to get the file you use for s_client above. > > Thanks, it worked. Tested using the command line tool with the "-CAfile" option and also with a browser. -- Ariel Diaz Bermejo http://www.linkedin.com/in/adiazbermejo
