0

it seems I have run into a Problem I just can't seem to get solved.

Firefox

I have tested the setup with Chrome, IE and Safari and it seems only Firefox has a Problem with my SSL configuration on my nginx server. The reason is not 100% clear, maybe someone has some tips to solving this issue.

NGINX config:

upstream mysite {
    server 192.168.1.2:8080;
}

server {
    listen                  443 ssl;
    server_name             mysite.example.com;
    ssl                     on;
    ssl_certificate         /etc/ssl/certs/mysite.example.com.crt;
    ssl_certificate_key     /etc/ssl/certs/mysite.example.com.key;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers       on;
    ssl_ciphers             "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_dhparam             /etc/ssl/certs/dhparam.pem;
    ssl_session_cache       shared:SSL:10m;
    add_header              Strict-Transport-Security "max-age=15768000; includeSubDomains";
    access_log      /var/log/nginx/mysite.example.com.access.log combined;
    error_log       /var/log/nginx/mysite.example.com.error.log;
    keepalive_timeout       210;
    client_max_body_size    25M;
    location / {
            proxy_pass              http://mysite;
            proxy_next_upstream     error timeout invalid_header http_500 http_502 http_503 http_504;
            proxy_redirect          off;
            proxy_buffering         off;
            proxy_set_header        Host            mysite.example.com;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

The Certificate is a GeoTrust G3 Wildcard Certificate. Firefox Error/Warning

Adesso
  • 203
  • 1
  • 3
  • 10
  • It seems Firefox doesn't have your CA certificate in its store. It uses its own store, apart from OS system certificate store, which IE and Chrome make use of. // Which CA was issued your server certificate? It is your own home-made CA or some public CA? – Nikita Kipriyanov Dec 10 '15 at 08:07
  • The Certificate is a GeoTrust G3 Wildcard Certificate. – Adesso Dec 10 '15 at 08:11
  • 1
    Have you included all intermediate & root CA certificates in /etc/ssl/certs/mysite.example.com.crt ?. – serverliving.com Dec 10 '15 at 08:32
  • It is the Bundel Certificate sent from the GeoTrust self, so I am assuming it is right. (Chrome/IE/Safari has no issue with it) I am thinking that it is a cypher Problem, just not sure – Adesso Dec 10 '15 at 16:05
  • 1
    @WillemP.Botha: don't assume, go and check yourself. Also check if that's root certificate is actually exists in the Firefox store. The easiest way to diagnose problems is to click "view certificate", as far as I can remember that button appears if you try to ignore the problem and trust the site anyway. There will be a way to analyse a certification chain and find out what is wrong. – Nikita Kipriyanov Dec 10 '15 at 19:47
  • You can use a scanner like https://www.ssllabs.com/ssltest/index.html that uses Firefox's trust store and simulates connections with various browsers/ user agents to determine if your certificate chain is correct. – Anand Bhat Dec 11 '15 at 03:05

0 Answers0