COMODO SSL Certificate Installation – I installed LEMP stack for one of my client on his CentOS 7 machine and configured SSL certificate obtained from COMODO for his domain. It was working fine in desktops and mobile devices. But my client came back with an issue and said that he sees an SSL warning error on one of his Android mobile. Here’s what my client said:
When the domain being accessed on some android devices, the SSL certificate wasn't trusted ! It was throwing a non safe warning site for the domain!
Yes my client was right – the certificate was working fine on most of the devices, but few did throw a warning message. So how to fix this?
Solution:
The most likely reason for the error is that the certificate authority that issued your SSL certificate is trusted on few devices, but not on all. But how, if a CA is trusted, it would be available in every device isn’t? Not necessarily! If the certificate was issued by COMODO certification authority, then check if authority is listed as a Trusted CA for Android in this list. If it doesn’t, then you need to setup trusted SSH chain.
To fix the issue, follow the below steps.
Step 1: You would have obtained a zip file from the COMODO CA authority. Unzip to find 3 files as listed below:
<domain_name>.p7b <domain_name>.ca-bundle <domain_name>.crt
Step 2:Concatenate the CA bundle and the certificate file (CRT file) which is extracted in the above step
#cat <domain_name>.crt <domain_name>.ca-bundle >><domain_name>-complete-bundle.crt
Step 3: Store the bundle in the appropriate ssl folder as below:
#cp <domain_name>-complete-bundle.crt /etc/pki/tls/certs/<domain_name>-complete-bundle.crt
Step 4: Store your private key in the appropriate SSL folder as below:
#cp <domain_name>.key /etc/pki/tls/private/<domain_name>.key
Step 5: Make sure you add the below nginx configuration pointing to the right certificate file and private key as stored in earlier steps
server {
listen 443 ssl;
server_name <domain_name>;
ssl_certificate /etc/pki/tls/certs/<domain_name>-complete-bundle.crt;
ssl_certificate_key /etc/pki/tls/private/<domain_name>.key;
ssl_prefer_server_ciphers on;
}Step 6: After making the above changes to your nginx configuration file, check for the syntax errors before attempting to restart the service as below:
#nginx -t
Step 7: Restart the nginx service
#systemctrl restart nginx
Now in every browser and domain, it should work properly.
Note: You can also analyse any issues with your SSL certificate at SSL-LABS.
step 4: .key /etc/pki/tls/private/.key Where does file .key come from? from .p7b?
You shall receive it from Commodo or Follow the procedure to download the certificate private key from commodo website.