关于firefox 访问https sec_error_unknown_issuer

nginx做负载均衡,后端为apache,使用godaddy的证书,在IE和Chrome上都没有问题,在firefor上访问时:
sec_error_unknown_issuer


解决:
1.修改apache的http-ssl.conf
SSLCertificateChainFile "/EBS/apache/conf/gd_bundle.crt"
gd_bundle.crt为下载证书时一起下载下来的
2.修改nginx使用的www.mysite.com.crt
从goddy上下载中间key:
https://certs.godaddy.com/repository/gd_cross_intermediate.crt
cat www.mysite.com.crt gd_intermediate_bundle.crt > mysite_combined.crt
使用这个文件做为nginx 的ssl_certificate  




相关:
http://www.vodasys.net/?p=34
http://nginx.groups.wuyasea.com/articles/how-to-setup-godaddy-ssl-certificate-on-nginx/2
https://certs.godaddy.com/Repository.go




I recently worked with an install of Kerio Mail Server and I installed an SSL certificate issued by Godaddy.  The install went okay, following the Kerio instructions and Internet Explorer worked fine.  My problem was with Firefox.  I kept getting the error “sec_error_unknown issuer”.  Obviously this error means that Firefox was not recognizing the Godddy as a valid certificate issuer.  In short, you may come across this problem if  theGoDaddy Intermediate Certificate is not  installed on your server as well as your SSL certificate you purchased.  The Intermediate Certificate is available for free download at GoDaddy.  It is a universal certificate and it is not custom made for each user.  So what happens is Firefox goes to your site for your SSL certificate, it sees that it does not recognize GoDaddy, so then it asks your server who GoDaddy is and at that point your server will provide the GoDaddy Intermediate Certificate.


In the case of installing it on Kerio Mail Server, you need to download the “Go Daddy Secure Server Certificate (Intermediate Certificate)” and on Linux Systems, place the certificate in opt/kerio/mailserver/sslca. If you browse to that dirctory, you will see that Kerio Mail Server ships with the Verisign, RSA and Thawte Intermediate certificates, but not GoDaddy as well as Comodo or others.






3. Install SSL on NginxGodaddy email you the zip file contains 2 files: www.mysite.com.crt and gd_intermediate_bundle.crt. You need to combine both files into one file, with your domain ssl file on top. so unzip the zip file and combine them.
cat www.mysite.com.crt gd_intermediate_bundle.crt > mysite_combined.crt




If you don't combine them, browser will not be able to verify certificate authority (CA), and popup dialog or warning messages, which will certainly scare your site visitors away.


Now copy both combined crt and www.mysite.com.key files to your ssl folder on the server, and edit your nginx.conf


server {
    listen          443;
    server_name     www.mysite.com;


    ssl on;
    ssl_certificate         /your/ssl/folder/mysite_combined.crt;
    ssl_certificate_key     /your/ssl/folder/www.mysite.com.key;
    ...
}




then reload the processes to make the change take effect.
/etc/init.d/nginx reload




That's it.

你可能感兴趣的:(nginx,server,File,ssl,download,firefox)