Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL intermediate.crt root.pem missing?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, Oct 15, 2014.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hi
    I just get a Comodo ssl certificate and i am following this tutorial to set it up:

    Code:
    http://centminmod.com/nginx_configure_https_ssl_spdy.html
    I am on the creation of ssl-unified.crt command:
    Code:
    cat yourdomain.crt intermediate.crt root.pem > ssl-unified.crt
    But i didn't get any intermediate.crt root.pem files to upload at
    Code:
    /usr/local/nginx/conf/ssl/domaincom/ 
    and use with the above command :(


    I got only:
    Code:
    AddTrustExternalCARoot.crt
    COMODORSAAddTrustCA.crt
    COMODORSADomainValidationSecureServerCA.crt
    mydomain_com.crt
    
    :(
     
    Last edited: Oct 15, 2014
  2. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    10:58 PM
    Mainline
    10.2
    Ask your ssl seller support?
     
  3. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    I don't know if they should provide those two files intermediate.crt and root.pem or maybe they use another way to add them on Nginx...

    But i want to follow the centminmod tutorial and in general the way that George use it.....
     
  4. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    10:58 PM
    Mainline
    10.2
    Yeah that's why Try to ask your root cert to them.
     
  5. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    10:58 PM
    Mainline
    10.2
    AddTrustExternalCARoot.crt = ROOT CERT.

    • Root CA Certificate - AddTrustExternalCARoot.crt
    • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
    • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    From knowledge base:
    The most popular problem is that SSL is not working on mobile devices or in some browsers, its happening as you miss to install Intermediate-CA files
    When SSL is issued, you receive 3 files that you need to use, you can also download them from Client area in ZIP file

    • -AddTrustExternalCARoot.crt (CA file that makes working SSL in all browsers and mobile devices)
    • -PositiveSSLCA2.crt or COMODOHigh-AssuranceSecureServerCA.crt (Main CA file)
    • -www_yourdomainname.crt (Your SSL)
    1. First, you need to combine two CA files in one, its very easy, all you need to do is to open both files (AddTrustExternalCARoot.crt + PositiveSSLCA2.crt/COMODOHigh-AssuranceSecureServerCA.crt) in any Text editor like Notepad, and copy/paste the codes one by one in one file and save it. Now you will have 1 file with SSL CA, we need that, as only few system allow to install 2 separate files, most of them allow just one file
    Now how can i adjust the commands?

    first:
    cat yourdomain.crt intermediate.crt root.pem > ssl-unified.crt

    second:
    cat intermediate.crt root.pem > ssl-trusted.crt

    Thanks !!!
     
  7. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    10:58 PM
    Mainline
    10.2
    cat
    www_phcorner_net.crt
    COMODORSADomainValidationSecureServerCA.
    crt
    COMODORSAAddTrustCA.crt
    >> ssl-unified.crt

    cat
    COMODORSADomainValidationSecureServerCA.crt
    COMODORSAAddTrustCA.crt
    AddTrustExternalCARoot.crt
    >> ssl-trusted.crt
     
  8. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Using two >> ? or one > as it is in the tutorial? :)
     
  9. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    10:58 PM
    Mainline
    10.2
    I just always copy paste the content of each cert instead of running the command.
    Copy paste never fails :D
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Also in the tutorial on the second command is merging two files and not three as you recommend me ...
    ?
     
  11. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    10:58 PM
    Mainline
    10.2
    Yeah because Comodo has 4 cert including the root.
    Other cert provider has only 3 including root that's why you only concatenate 2.
     
  12. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Great i got it working :)

    But on spdycheck.org i have only one warning as i miss something :(

    Not Using Strict-Transport-Security

    How can i fix this?
     
  13. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    10:58 PM
    Mainline
    10.2
    Add this:
    add_header Strict-Transport-Security "max-age=31536000";

    Next to SPDY header.
    On your domain config.
     
  14. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    I have already this in my config and restart Nginx but it seems not working:

    Code:
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    And one last problem :

    The:
    Code:
    https://www.mydomain.com
    is not redirecting to:

    Code:
    https://mydomain.com
    as i don't want to use the www :(
     
    Last edited: Oct 15, 2014
  15. eva2000

    eva2000 Administrator Staff Member

    54,068
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:58 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you testing html page, if so need to add add_header to the /usr/local/nginx/conf/staticfiles.conf for html context

    includeSubdomains if you have SSL wildcard or without as seen below for normal standard SSL certificates
    Code:
        location ~* \.(html|htm|txt)$ {
            #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
            add_header Strict-Transport-Security "max-age=31536000";
            #add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            access_log off;
            expires 1d;
            break;
            }
    should work if you have the 301 redirect listed at Nginx HTTPS / SSL Google SPDY configuration

    Code:
    server {
      server_name domain.com www.domain.com;
      return 301 https://$server_name$request_uri;
    
    }
     
  16. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Yes i am testing html :) So if i use php it will be fine?


    It is not redirecting :(

    The top of my mydomain.com.conf:
    Code:
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    #server {
    #  listen  80;
    #  server_name mydomain.com;
    #  return 301 $scheme://www.mydomain.com$request_uri;
    #  }
    
    server {
      server_name mydomain.com www.mydomain.com;
      return 301 https://$server_name$request_uri;
    
    }
    
    # https SSL SPDY vhost
    server {
      listen 443 ssl spdy;
      server_name mydomain.com;
    
      ssl_certificate  /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domaincom/ihostexperts_com.key;
    
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,068
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:58 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ah should be if you only want non-www
    Code:
    server {
      server_name mydomain.com www.mydomain.com;
      return 301 https://mydomain.com$request_uri;
    
    }
     
  18. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Confused :(

    Yes i don't want www but when i type the:

    Code:
    www.mydomain.com 
    using the above config it is not redirect to the non www .....
     
    Last edited: Oct 16, 2014
  19. eva2000

    eva2000 Administrator Staff Member

    54,068
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:58 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    it should as that's what i am using myself
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    4,074
    427
    83
    May 31, 2014
    Ratings:
    +833
    Local Time:
    4:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Maybe something wrong in my domain records?

    [​IMG]

    This is what i try:
    Code:
    www.mydomain.com  redirecting to --> https://www.mydomain.com/  and i am getting Unable to connect
    http://www.mydomain.com  redirecting to --> https://www.mydomain.com/  and i am getting Unable to connect  
    https://www.mydomain.com  --->Unable to connect