Error: This server's certificate chain is incomplete

addis_a · December 30, 2014, 8:35pm

Hi All
I managed to get the nginx reverse proxy up and forwarding to my https
web
server.
I think I have missed something though as a user just let me know that
when
he tried to access the site he gets a message that the certificate is
invalid.

I just did a test with ssllabs and noticed that it shows this error:
"This
server’s certificate chain is incomplete. "

Any ideas on what I have missed? Thanks for the assistance.

Regards.

churp · December 30, 2014, 8:38pm

That test should point you in some direction but you’re probably
missing an intermediate certificate which would normally be provided by
the
issuer and appended to the file containing your server certificate.

__________________Scott LarsonSystems AdministratorWiredrive/LA310 823
8238 ext. 1106310 943 2078 faxwww.wiredrive.com
http://www.wiredrive.com/www.twitter.com/wiredrive
http://www.twitter.com/wiredrive Wiredrive
http://www.wiredrive.com/facebook

On Tue, Dec 30, 2014 at 11:34 AM, Peter F. [email protected]

churp · December 30, 2014, 10:19pm

Thanks for that. I found out also that I need to export all the
intermediate certs. I used this command below to export them all to a
text
file.
openssl pkcs12 -in <file_name>.pfx -out outputfile.txt -nodes.

Then I manually removed the private key and used the result as the cert.
It
works now except that the same test result says “Contains Anchor” This
is
not really a problem from what I have read but I will spend a little
time
trying to figure how to correct this also.

churp · December 30, 2014, 9:35pm

Hello!

On Tue, Dec 30, 2014 at 02:34:26PM -0500, Peter F. wrote:

Any ideas on what I have missed? Thanks for the assistance.
Configuring HTTPS servers

–
Maxim D.
http://nginx.org/

churp · December 30, 2014, 11:13pm

Ok I’m going to try to figure out which it is so I can manually remove
it.
However I must say that I am a new believer in nginx. Good job on an
excellent piece of software.

churp · December 30, 2014, 10:28pm

Contains anchor means that you’re sending the CA’s root cert along
with the intermediates and your own, and that it’s generally unnecessary
to
do so.

__________________Scott LarsonSystems AdministratorWiredrive/LA310 823
8238 ext. 1106310 943 2078 faxwww.wiredrive.com
http://www.wiredrive.com/www.twitter.com/wiredrive
http://www.twitter.com/wiredrive Wiredrive
http://www.wiredrive.com/facebook

On Tue, Dec 30, 2014 at 1:18 PM, Peter F. [email protected]