Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3050040
  • 博文数量: 535
  • 博客积分: 15788
  • 博客等级: 上将
  • 技术积分: 6507
  • 用 户 组: 普通用户
  • 注册时间: 2007-03-07 09:11
文章分类

全部博文(535)

文章存档

2016年(1)

2015年(1)

2014年(10)

2013年(26)

2012年(43)

2011年(86)

2010年(76)

2009年(136)

2008年(97)

2007年(59)

分类: 系统运维

2009-05-25 16:24:08

nginx做负载均衡,后端为apache,使用godaddy的证书,在IE和Chrome上都没有问题,在firefor上访问时:
sec_error_unknown_issuer

解决:
1.修改apache的http-ssl.conf
SSLCertificateChainFile "/EBS/apache/conf/gd_bundle.crt"
gd_bundle.crt为下载证书时一起下载下来的
2.修改nginx使用的
从goddy上下载中间key:

cat gd_intermediate_bundle.crt > mysite_combined.crt
使用这个文件做为nginx 的ssl_certificate


相关:




I recently worked with an install of Kerio Mail Server and I installed an SSL certificate issued by Godaddy.  The install went okay, following the  and Internet Explorer worked fine.  My problem was with Firefox.  I kept getting the error “sec_error_unknown issuer”.  Obviously this error means that Firefox was not recognizing the Godddy as a valid certificate issuer.  In short, you may come across this problem if  the is not  installed on your server as well as your SSL certificate you purchased.  The Intermediate Certificate is available for free download at GoDaddy.  It is a universal certificate and it is not custom made for each user.  So what happens is Firefox goes to your site for your SSL certificate, it sees that it does not recognize GoDaddy, so then it asks your server who GoDaddy is and at that point your server will provide the GoDaddy Intermediate Certificate.

In the case of installing it on Kerio Mail Server, you need to download the “Go Daddy Secure Server Certificate (Intermediate Certificate)” and on Linux Systems, place the certificate in opt/kerio/mailserver/sslcaIf you browse to that dirctory, you will see that Kerio Mail Server ships with the Verisign, RSA and Thawte Intermediate certificates, but not GoDaddy as well as Comodo or others.


3. Install SSL on Nginx

Godaddy email you the zip file contains 2 files: and gd_intermediate_bundle.crt. You need to combine both files into one file, with your domain ssl file on top. so unzip the zip file and combine them.
cat gd_intermediate_bundle.crt > mysite_combined.crt

If you don't combine them, browser will not be able to verify certificate authority (CA), and popup dialog or warning messages, which will certainly scare your site visitors away.

Now copy both combined crt and files to your ssl folder on the server, and edit your nginx.conf
server { listen 443; server_name ssl on; ssl_certificate /your/ssl/folder/mysite_combined.crt; ssl_certificate_key /your/ssl/folder/; ... }

then reload the processes to make the change take effect.
/etc/init.d/nginx reload

That's it.


阅读(6760) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~