security - SSL Error: unable to get local issuer certificate -

security - SSL Error: unable to get local issuer certificate -

i'm having problem configuring ssl on debian 6.0 32bit server. i'm relatively new ssl please bear me. i'm including much info can. note: true domain name has been changed protect identity , integrity of server.

configuration

the server running using nginx. configured follows:

ssl_certificate /usr/local/nginx/priv/mysite.ca.chained.crt; ssl_certificate_key /usr/local/nginx/priv/mysite.ca.key; ssl_protocols sslv3 tlsv1 tlsv1.1 tlsv1.2; ssl_ciphers high:!anull:!md5; ssl_verify_depth 2;

i chained certificate using method described here

cat mysite.ca.crt bundle.crt > mysite.ca.chained.crt

where mysite.ca.crt certificate given me signing authority, , bundle.crt ca certificate sent me signing authority. problem did not purchase ssl certificate straight globalsign, instead through hosting provider, singlehop.

testing

the certificate validates on safari , chrome, not on firefox. initial searching revealed may problem ca.

i explored reply similar question, unable find solution, don't understand purpose each certificate serves.

i used openssl's s_client test connection, , received output seems indicate same problem the similar question. error follows:

depth=0 /ou=domain command validated/cn=*.mysite.ca verify error:num=20:unable local issuer certificate verify return:1 depth=0 /ou=domain command validated/cn=*.mysite.ca verify error:num=27:certificate not trusted verify return:1

a total detail of openssl's response (with certificates , unnecessary info truncated) can found here.

i see warning:

no client certificate ca names sent

is possible problem? how can ensure nginx sends these ca names?

attempts solve problem

i attempted solve problem downloading root ca straight globalsign, received same error. updated root ca's on debian server using update-ca-certificates command, nil changed. because ca sent provider correct, led certificate beingness chained twice, doesn't help.

0 s:/ou=domain command validated/cn=*.mysite.ca i:/c=be/o=globalsign nv-sa/cn=alphassl ca - sha256 - g2 1 s:/o=alphassl/cn=alphassl ca - g2 i:/c=be/o=globalsign nv-sa/ou=root ca/cn=globalsign root ca 2 s:/c=be/o=globalsign nv-sa/ou=root ca/cn=globalsign root ca i:/c=be/o=globalsign nv-sa/ou=root ca/cn=globalsign root ca next steps

please allow me know if there can try, or if have whole thing configured incorrectly.

jww right — you're referencing wrong intermediate certificate.

as have been issued sha256 certificate, need sha256 intermediate. can grab here: http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crt

security ssl https openssl ssl-certificate