SSL: Servers certificate chain is incomplete
Servers certificate chain is incomplete
means you don't have intermediate certificates, certificates have expired or are in wrong order.
It looks like you don't have any intermediate certificates: https://www.sslshopper.com/ssl-checker.html#hostname=https://api.billgun.com/.
When you open your site in a browser you will get green padlock because browsers can download missing intermediate certificates but other tools won't be able to connect ie. curl
:
curl -I 'https://api.billgun.com/'curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: noneMore details here: http://curl.haxx.se/docs/sslcerts.html
or openssl
:
openssl s_client -connect api.billgun.com:443CONNECTED(00000003)depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.comverify error:num=20:unable to get local issuer certificateverify return:1depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.comverify error:num=21:unable to verify the first certificateverify return:1---Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.billgun.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA---
The fastest way to generate correct chain is to:
- open your site in a browser
- click on green padlock and display certificate properties
- export every certificate in the chain (in your case, you should get 3 files:
-billguncom.crt
,COMODORSADomainValidationSecureServerCA.crt
,COMODORSACertificationAuthority.crt
) combine the files in order from leaf to root cert:
cat -- -billguncom.crt COMODORSADomainValidationSecureServerCA.crt COMODORSACertificationAuthority.crt > billgun_com.crt
install new cert on server
- test nginx cofiguration
nginx -t
- restart server
service nginx restart
There is a tool to automate the procedure of producing a bundle of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver (I'm the author.)
Usage:
cert-chain-resolver -o domain.bundle.pem domain.pem
- domain.pem is your input certificate
- domain.bundle.pem is the certificate bundle, that you can use in your web server configuration