Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- info: Please wait for a site operator to respond.
- info: You are now chatting with 'Aaron'
- Aaron: Hello
- Aaron: Welcome to COMODO Technical Support !
- Aaron: How may I assist you today ?
- you: Hello! My name is Artem.
- you: WE have Comodo EssentialSSL (Wildcard) for domain *.ekipazh-service.com.ua. We installed certificate and keys on two our servers (Linux Debian 7 + nginx 1.2 and Debian 7 + nginx 1.8). but have same problems:
- you: openssl s_client -connect ekipazh-service.com.ua:443
- you: depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.ekipazh-service.com.ua verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.ekipazh-service.com.ua verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.ekipazh-service.com.ua verify error:num=21:unable to verify the first certificate verify return:1
- Aaron: EssentialSSL Wildcard Certificate for *.ekipazh-service.com.ua
- you: openssl s_client -connect m1.ekipazh-service.com.ua:443 depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.ekipazh-service.com.ua verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.ekipazh-service.com.ua verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.ekipazh-service.com.ua verify error:num=21:unable to verify the first certificate verify return:1
- you: YES
- Aaron: hold on please let me check it.
- Aaron: may I know the exact sub-domain of ekipazh-service.com.ua ?
- you: for example m1.ekipah-service.com.ua. But we have same problems on both servers. Also, we can create addition subdomain to make tests.
- Aaron: On which server you have installed the certificate ?
- Aaron: May i know the exact web-server type pleasE?
- Aaron: Verify return code: 21 (unable to verify the first certificate)
- Aaron:
- Aaron: could you please let me know the web-server type
- Aaron: ?
- you: yes, i gethering info, one second
- Aaron: ok
- you: Server #1: Linux Debian 7.8 (Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) )) with web server NGINX 1.2.1. Server #2: Linux Debian 7.8 (Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u2 x86_64 GNU/Linux) with web server NGINX 1.8.0.
- Aaron: You MUST install the certificate onto the same web-server where you originally created CSR for *.ekipazh-service.com.ua.
- Aaron: So please confirm did you generate and install Certificate for *.ekipazh-service.com.ua on Apache (or) Nginx.
- you: I have to clarify this information, because I got RSA.KEY, SERVER.CRT, CA.CRT_BUNDLE from our security team. So, if we generate CSR request from Apache and installed it to Nginx we will have problems?
- Aaron: ok so you got the RSA private key along with it.
- Aaron: then no issues.
- Aaron: But the installation process of Nginx is different from Apache server.
- Aaron: I will provide you the certificate installation instructions URL for both server, please refer the instructions and install it.
- Aaron: Certificate Installation: Apache & mod_ssl
- you: WE tried to install certs according to instruction for NGinx, but no result.
- Aaron: Apache server requires, Domain Certificate (SERVER.CRT) and CA.CRT Bundle file
- Aaron: Whereas the Nginx its different.
- you: Yesterday we spend all day to install cert, according to instruction, but again no result
- Aaron: yes
- Aaron: hold on please
- Aaron: I have changed the certificate format based on Nginx and resent to p.tkachuk@ekipazh-service.com.ua
- Aaron: please download the new certificate zip file and extract it.
- Aaron: If you extract the certificate zip file, you can see the following list of certificate files inside.
- you: ok
- Aaron: AddTrustExternalCARoot.crt
- Aaron: COMODORSAAddTrustCA.crt
- Aaron: COMODORSADomainValidationSecureServerCA.crt
- Aaron: STAR_ekipazh-service_com_ua.crt
- you: Thanks! our RSA.KEY will be unchanged?
- Aaron: You should combine all the above certificate files into a single file name called 'ssl-bundle.crt' in reverse order as listing below.
- Aaron: yes, the RSA.KEY will be unchanged.
- Aaron: > cat STAR_ekipazh-service_com_ua.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt
- Aaron: Then you can configure Nginx Virtual Host by using this file ssl-bundle.crt
- you: ok
- Aaron: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/789/0/certificate-installation-nginx
- Aaron: You can refer the above URl for more information about Nginx installation
- you: Thanks!
- Aaron: you're welcome
- Aaron: Is there anything else, that I can assist you further ?>
- info: Your chat transcript will be sent to box4log@gmail.com at the end of your chat.
- you: We will try to follow instructions, and, if it is possible, we contact support if problem occur again
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement