0

I had only owncloud running (http and https with apache2) in my network, but now I want host another website. https was working without warning "Your connection is not secure"

So for this I have installed another server with nginx on which I want to set SSL with my STAR_mydomain_com.crt and _mydomain_com.key I was using on apache2.

server {
listen 443;
server_name cloud.mydomain.com;

error_log /var/log/nginx/cloud.access.log;

ssl on;
ssl_certificate /etc/nginx/ssl/STAR_mydomain_com.crt;
ssl_certificate_key /etc/nginx/ssl/_mydomain_com.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # dont use SSLv3 ref: POODLE

location / {
    proxy_pass http://192.168.1.10/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
}}

But now I get the message : "Your connection is not secure"

I don't understand why

Any explanation why?

user427519
  • 1

1 Answers1

0

You probably forgot to add the intermediate certificates in your ssl_certificates file. In Apache there is a separate option for intermediate certificates while in nginx there is none. Instead you have to put all intermediate certificates in your ssl_certificates file, right after your own certificate. (See 1)

Original Post:

Die you change the Server Name when switching to nginx?

Certificates are only valid for a certain DNS name.

Usually there is more information in the "Your connection Is not secure"-dialog like "Certificate is only valid for xzy.mydomain.com", that information could help us to resolve your problem.

joni_93
  • 1
  • 1
  • No it was before _cloud.mydomain.com_ and it is still _cloud.mydomain.com_ now using the same wildcard.mydomain_com.crt and wildcard_mydomain_com.key that I was using previously without nginx reverse proxy. – user427519 Jul 23 '17 at 00:10
  • Try "proxy_set_header X-Forwarded-Proto $scheme;" – joni_93 Jul 23 '17 at 00:14
  • Also a more specific error message would really help. – joni_93 Jul 23 '17 at 00:31
  • I added X-Frowarded-Porto in my but still not working So the web browser error is **SEC_ERROR_UNKNOWN_ISSUER** – user427519 Jul 23 '17 at 00:39
  • From which CA did you get your certificate? – joni_93 Jul 23 '17 at 00:40
  • Did you include all intermediate certs? – joni_93 Jul 23 '17 at 00:42
  • I got Comodo ca – user427519 Jul 23 '17 at 00:48
  • what do you mean buy intermediate certs ? – user427519 Jul 23 '17 at 00:48
  • https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/250/17/ – joni_93 Jul 23 '17 at 01:12
  • 1
    This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/low-quality-posts/333178) – kasperd Jul 23 '17 at 03:19
  • In Apache you have "the option SSLCertificateChainFile" for including the intermediate certificates, while nginx doesn't have this option requiring you to put the intermediate certificates in your ssl_certificate file. (See https://stackoverflow.com/questions/25750890/nginx-install-intermediate-certificate) – joni_93 Jul 23 '17 at 04:17
  • @kasperd I know this it not an answer but I couldn't post an answer because of my reputation. Sometimes it is just not possible to provide answers without asking for further informations, I am sorry. – joni_93 Jul 23 '17 at 04:41
  • Thanks you for your help guys it was the chain file that was missing. – user427519 Jul 23 '17 at 05:58