Firefox不信任StartSSL证书问题解决-Nginx

http://www.startssl.com/?app=42

首先要说明的是我拿到的是class2证书,ssl.crt和ssl.key 都是从官网生成的

1.将你的key解密

openssl rsa -in ssl.key -out /etc/nginx/conf/ssl.key

2.Fetch the Root CA and Class 1 Intermediate Server CA certificates:

红色部分是要替换的，官网上有说明，因为我的是class2

wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class2.server.ca.pem

3. 我的在下面这一步会出错

cat ssl.crt sub.class1.server.ca.pem ca.pem > /etc/nginx/conf/ssl-unified.crt

/etc/init.d/nginx restart
Restarting nginx: nginx: [emerg] SSL_CTX_use_certificate_chain_file("/web/sslkey/x.x.x.x.com.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

试了好多次发现在ssl.crt 与sub.class1.server.ca.pem之间少了个换行符，加上就好了，不用cat命令也好，直接vim复制粘贴到ssl.crt的末尾即可

4.在nginx配置文件添加如下一段配置

server {
       listen       443;

       root /var/www/
       ssl on;
       ssl_certificate          /work/web/sslkey/x.x.x.x.crt;
       ssl_certificate_key      /work/web/sslkey/x.x.x.x.key;
       ssl_session_timeout 5m;


}

现在应该已经正常工作了