thin rails server/eventmachine on windows does not

After building my own eventmachine/thin with SSL support on windows (Install OpenSSL with Ruby for eventmachine on Windows 7 x86) I got another problem with SSL certificate: when I use build-in self-signed one thin works fine but it does not respond to any request while using corporate certificate

Here is my path for obtaining the certificate:

  1. I generated private key with puttygen (ssl-private.key)
  2. I generated CSR using following command:

openssl req -out ssl.csr -key ssl-private.key -new

  1. I sent CSR to CA and received P7B file
  2. I converted P7B using following command:

openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt

What could go wrong here?

What have I checked:

openssl rsa -in ssl-private.key -check

says "RSA key ok"

openssl x509 -in cert.crt -text -noout


        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: ***
            Not Before: Feb 16 08:47:25 2004 GMT
            Not After : Feb 16 08:55:36 2024 GMT
        Subject: ***
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 3 (0x3)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier: 
    Signature Algorithm: sha1WithRSAEncryption

while the same check made on self-signed cert, created using

openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


        Version: 1 (0x0)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd,
            Not Before: Jun 24 14:42:07 2015 GMT
            Not After : Jun 23 14:42:07 2016 GMT
        Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption

ok some change: I have changed certs order in crt file so that final cert is not last but first and the result is different: chrome drops an error of NET::ERR_CERT_INVALID, IE similar and both does not navigate further

openssl s_client output (looks ok, *** Root CA 1 is trusted in windows):

Loading 'screen' into random state - done
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
Certificate chain
 0 s:/C=***/ST=***/O=***/CN=***.com
   i:/DC=com/DC=***/CN=*** Enterprise CA 1
 1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
   i:/DC=com/DC=***/CN=*** Root CA 1
Server certificate
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
No client certificate CA names sent
SSL handshake has read 3404 bytes and written 665 bytes
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: ***
    Master-Key: ***
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket: ***

    Start Time: 1435319943
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

I have made a simple https server (lib/emtestssl):

require 'rubygems'
require 'bundler/setup'

class ServerHandler < EM::Connection
  def post_init
    puts "post_init"
    start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false

  def receive_data(data)
    puts "Received data in server: #{data}"
    send_data("HTTP/1.1 200 OK\n\nHello world!")
end do
  puts 'Starting server...'
  EventMachine.start_server('', 443, ServerHandler)

it works fine without tls, with tls browser won't allow to connect :(

as per private key and certificate do match


it looks like (patched) eventmachine is completely fine: i have taken key/cert pair from existing server and (after a url mismatch warning from the browser) it works fine

after comparing the certificates it looks like my CA has failed and brought me a cert with wrong properties: working one is described as Server Authentication ( while failing one is Client Authentication (

i will issue another csr and charge them for lost day... :/

maybe one important discovery is an order of certificates within cert file: one must go from the final cert to the root being at the end of the chain