本文介绍了解决GoDaddy SSL证书在Firefox浏览器中出现的“sec_error_unknown_issuer”错误的方法。主要步骤包括:1. 在Apache中配置SSL证书链文件;2. 在Nginx中组合主证书和中间证书;3. 正确安装中间证书确保Firefox正确识别证书颁发者。
nginx做负载均衡,后端为apache,使用godaddy的证书,在IE和Chrome上都没有问题,在firefor上访问时:
sec_error_unknown_issuer
解决:
1.修改apache的http-ssl.conf
SSLCertificateChainFile "/EBS/apache/conf/gd_bundle.crt"
gd_bundle.crt为下载证书时一起下载下来的
2.修改nginx使用的www.mysite.com.crt
从goddy上下载中间key:
https://certs.godaddy.com/repository/gd_cross_intermediate.crt
cat www.mysite.com.crt gd_intermediate_bundle.crt > mysite_combined.crt
使用这个文件做为nginx 的ssl_certificate
相关:
http://www.vodasys.net/?p=34
http://nginx.groups.wuyasea.com/articles/how-to-setup-godaddy-ssl-certificate-on-nginx/2
https://certs.godaddy.com/Repository.go
I recently worked with an install of Kerio Mail Server and I installed an SSL certificate issued by Godaddy. The install went okay, following the Kerio instructions and Internet Explorer worked fine. My problem was with Firefox. I kept getting the error “sec_error_unknown issuer”. Obviously this error means that Firefox was not recognizing the Godddy as a valid certificate issuer. In short, you may come across this problem if theGoDaddy Intermediate Certificate is not installed on your server as well as your SSL certificate you purchased. The Intermediate Certificate is available for free download at GoDaddy. It is a universal certificate and it is not custom made for each user. So what happens is Firefox goes to your site for your SSL certificate, it sees that it does not recognize GoDaddy, so then it asks your server who GoDaddy is and at that point your server will provide the GoDaddy Intermediate Certificate.
In the case of installing it on Kerio Mail Server, you need to download the “Go Daddy Secure Server Certificate (Intermediate Certificate)” and on Linux Systems, place the certificate in opt/kerio/mailserver/sslca. If you browse to that dirctory, you will see that Kerio Mail Server ships with the Verisign, RSA and Thawte Intermediate certificates, but not GoDaddy as well as Comodo or others.
3. Install SSL on NginxGodaddy email you the zip file contains 2 files: www.mysite.com.crt and gd_intermediate_bundle.crt. You need to combine both files into one file, with your domain ssl file on top. so unzip the zip file and combine them.
cat www.mysite.com.crt gd_intermediate_bundle.crt > mysite_combined.crt
If you don't combine them, browser will not be able to verify certificate authority (CA), and popup dialog or warning messages, which will certainly scare your site visitors away.
Now copy both combined crt and www.mysite.com.key files to your ssl folder on the server, and edit your nginx.conf
server {
listen 443;
server_name www.mysite.com;
ssl on;
ssl_certificate /your/ssl/folder/mysite_combined.crt;
ssl_certificate_key /your/ssl/folder/www.mysite.com.key;
...
}
then reload the processes to make the change take effect.
/etc/init.d/nginx reload
That's it.
sec_error_unknown_issuer
解决:
1.修改apache的http-ssl.conf
SSLCertificateChainFile "/EBS/apache/conf/gd_bundle.crt"
gd_bundle.crt为下载证书时一起下载下来的
2.修改nginx使用的www.mysite.com.crt
从goddy上下载中间key:
https://certs.godaddy.com/repository/gd_cross_intermediate.crt
cat www.mysite.com.crt gd_intermediate_bundle.crt > mysite_combined.crt
使用这个文件做为nginx 的ssl_certificate
相关:
http://www.vodasys.net/?p=34
http://nginx.groups.wuyasea.com/articles/how-to-setup-godaddy-ssl-certificate-on-nginx/2
https://certs.godaddy.com/Repository.go
I recently worked with an install of Kerio Mail Server and I installed an SSL certificate issued by Godaddy. The install went okay, following the Kerio instructions and Internet Explorer worked fine. My problem was with Firefox. I kept getting the error “sec_error_unknown issuer”. Obviously this error means that Firefox was not recognizing the Godddy as a valid certificate issuer. In short, you may come across this problem if theGoDaddy Intermediate Certificate is not installed on your server as well as your SSL certificate you purchased. The Intermediate Certificate is available for free download at GoDaddy. It is a universal certificate and it is not custom made for each user. So what happens is Firefox goes to your site for your SSL certificate, it sees that it does not recognize GoDaddy, so then it asks your server who GoDaddy is and at that point your server will provide the GoDaddy Intermediate Certificate.
In the case of installing it on Kerio Mail Server, you need to download the “Go Daddy Secure Server Certificate (Intermediate Certificate)” and on Linux Systems, place the certificate in opt/kerio/mailserver/sslca. If you browse to that dirctory, you will see that Kerio Mail Server ships with the Verisign, RSA and Thawte Intermediate certificates, but not GoDaddy as well as Comodo or others.
3. Install SSL on NginxGodaddy email you the zip file contains 2 files: www.mysite.com.crt and gd_intermediate_bundle.crt. You need to combine both files into one file, with your domain ssl file on top. so unzip the zip file and combine them.
cat www.mysite.com.crt gd_intermediate_bundle.crt > mysite_combined.crt
If you don't combine them, browser will not be able to verify certificate authority (CA), and popup dialog or warning messages, which will certainly scare your site visitors away.
Now copy both combined crt and www.mysite.com.key files to your ssl folder on the server, and edit your nginx.conf
server {
listen 443;
server_name www.mysite.com;
ssl on;
ssl_certificate /your/ssl/folder/mysite_combined.crt;
ssl_certificate_key /your/ssl/folder/www.mysite.com.key;
...
}
then reload the processes to make the change take effect.
/etc/init.d/nginx reload
That's it.
扫一扫
8600
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
