{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Juvenile、少年° 的问题《Nginx not serving intermediate certificate》','https://www.manongdao.com/q-726334.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am trying to install an ssl certificate on Nginx (laravel forge actually). I have concatenated the certificate with the intermediate and I don't get any errors in the Nginx error log. However it is not trusted in mobile chrome - only desktops.
Looking at Qualys ssl test, it's says that the Chain is incomplete. I don't see how though.
Here's my Nginx config
server {
listen 80;
server_name **********.com;
return 301 https://**********.com$request_uri;
}
server {
listen 443 ssl;
server_name **********.com;
root /home/forge/**********.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl on;
ssl_certificate /etc/nginx/ssl/**********.com/1086/server.pem;
ssl_certificate_key /etc/nginx/ssl/**********.com/1086/server.key;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/**********.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
Can any one help? I have been pulling my hair out for days.
It looks like you are sending the wrong intermediate:
The subject of certificate 0 is
CN=cauterypens.com. The issuer of certificate 0 isCN=AlphaSSL CA - SHA256 - G2.The intermediate certificate should be the next in the chain. However, rather than sending
CN=AlphaSSL CA - SHA256 - G2, you are sendingCN=AlphaSSL CA - G2. Notice the lack ofSHA256in the name.To fix this, you should fetch
AlphaSSL CA - SHA256 - G2from Download GlobalSign Root and Intermediate Certificate. It has thumprint thumbprintae:bf:32:c3:c8:32:c7:d7:bc:55:99:b1:aa:05:fb:6c:f4:d9:29:4c.Related: the CA is
CN=GlobalSign Root CA. That's theGlobalSign Root R1download. Download it and save it to a file (its name isRoot-R1.crt). Its already in a PEM encoding. Then, you should be able to verify the chain with:If it does not verify, then you have other troubles. Fix the problems before proceeding.