SSL: Servers certificate chain is incomplete SSL: Servers certificate chain is incomplete nginx nginx

SSL: Servers certificate chain is incomplete


node.js ssl nginx certificate pci-compliance

Servers certificate chain is incomplete

means you don't have intermediate certificates, certificates have expired or are in wrong order.

It looks like you don't have any intermediate certificates: https://www.sslshopper.com/ssl-checker.html#hostname=https://api.billgun.com/.

When you open your site in a browser you will get green padlock because browsers can download missing intermediate certificates but other tools won't be able to connect ie. curl:

curl -I 'https://api.billgun.com/'curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: noneMore details here: http://curl.haxx.se/docs/sslcerts.html

or openssl:

openssl s_client -connect api.billgun.com:443CONNECTED(00000003)depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.comverify error:num=20:unable to get local issuer certificateverify return:1depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.comverify error:num=21:unable to verify the first certificateverify return:1---Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.billgun.com   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA     Domain Validation Secure Server CA---

The fastest way to generate correct chain is to:

  • open your site in a browser
  • click on green padlock and display certificate properties
  • export every certificate in the chain (in your case, you should get 3 files: -billguncom.crt, COMODORSADomainValidationSecureServerCA.crt, COMODORSACertificationAuthority.crt)

  • combine the files in order from leaf to root cert:

    cat -- -billguncom.crt COMODORSADomainValidationSecureServerCA.crt COMODORSACertificationAuthority.crt > billgun_com.crt

  • install new cert on server

  • test nginx cofiguration nginx -t
  • restart server service nginx restart

node.js ssl nginx certificate pci-compliance

There is a tool to automate the procedure of producing a bundle of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver (I'm the author.)

Usage:

cert-chain-resolver -o domain.bundle.pem domain.pem
  • domain.pem is your input certificate
  • domain.bundle.pem is the certificate bundle, that you can use in your web server configuration

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last