Mark Dain I've been playing around in OpenSSL all day and I finally got it to make a CA and a certificate. SSL labs seems happy aside from the untrusted root and "incomplete chain". Now I can sign certificates on the fly that all my devices will accept (including my phone)! Not sure how to solve the chain problem though.
Login or register your account to reply
🏒 Lucian Marin You simply have to do `cat yourdomain.crt ca.crt root.crt > ssl-bundle.crt` (in reverse order) then use ssl-bundle.crt as a chained certificate.
9y, 41w 1 reply
Mark Dain I tried that last night but nginx didn't like it and wouldn't start. Just tried it now and it seems to work!? I get an "A" (if trust issues are ignored). I didn't get this cert from a company, I created it in OpenSSL so I have no guidelines on how to do it properly. Ok, time to get an A+!
9y, 41w reply
Dave Walk One of our vendors had an incomplete chain problem this week and it caused our NodeJS client to their API (backed by OpenSSL) to throw an "UNTRUSTED" error so you should probably fix that. Unfortunately I dont remember how I've dealt with that in the past and handling SSL certs may be one of the most annoying things ever.
9y, 41w 1 reply
Mark Dain I would if I knew how, this is completely done by me ( gist.github.com/an... ). I'm starting to think it may be because an SSL cert (leaf node?) can't come directly from the CA so I'll try creating an intermediary and see if that works. Otherwise I'm getting fantastic scores on SSL test (0/100/100/90). This is for strictly internal stuff so if I can't fix it, it's not so bad as all my devices seem to be ok with the server. I'd like to get an A+ though!
9y, 41w reply