Comodo SSL Certificate with nginx

Beyond Best Before Date...

This article is more than 8 years old. It will no longer be updated but remains available for people visiting this page from external links.

When you order an SSL certificate from Comodo or InstantSSL, you will receive an email with your certificate. Here's how to configure nginx to use that certificate for SSL and TLS.

Attached to this email you should find a .zip file containing:

Root CA certificate:
Intermediate CA certificate
Intermediate CA certificate
Intermediate CA certificate
Your SSL certificate

In order to use those with nginx, you need to concatenate all these files in the correct order, as follows:

1cat example_net.crt \
2EssentialSSLCA_2.crt \
3ComodoUTNSGCCA.crt \
4UTNAddTrustSGCCA.crt \
5AddTrustExternalCARoot.crt > example_net-bundle.crt

The directives to be used in the server section of the nginx.conf file are along these lines:

1listen 443;
2ssl on;
3ssl_certificate /etc/nginx/ssl/cert/example_net-bundle.crt;
4ssl_certificate_key /etc/nginx/ssl/key/example_net.key;

If the order of the certificates is incorrect, things might seem to work just fine in recent versions of Safari, Chrome and Firefox.

However, less sophisticated SSL implementations such as the one on Android up to and including 4.2.2 will abort with errors like the following:

1org.springframework.web.client.ResourceAccessException: I/O error:
2org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not
3validate certificate signature.; nested exception is
5org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not
6validate certificate signature.