ssl_trusted_certificate usage with parallel ECDSA / RSA certificates ?

lists Thu, 11 Aug 2016 06:04:53 -0700

I've created 2 LetsEncrypt SSL certs -- an EC & and RSA.

Following


        Support for parallel ECDSA / RSA certificates
          https://trac.nginx.org/nginx/ticket/814

I config

    ssl_certificate           
"/etc/letsencrypt/live/example.com/fullchain.ec.pem";
    ssl_certificate_key       "/etc/ssl/keys/privkey_ec.pem";
    ssl_certificate           
"/etc/letsencrypt/live/example.com/fullchain.rsa.pem";
    ssl_certificate_key       "/etc/ssl/keys/privkey_rsa.pem";

Although the trusted cert's not mentioned in ticket/814, the 'chain.pem' is 
what's used in nginx

    ssl_trusted_certificate   "/etc/letsencrypt/live/example.com/chain.ec.pem";
    ssl_trusted_certificate   "/etc/letsencrypt/live/example.com/chain.rsa.pem";

But this config fails nginx config check

        nginx: [emerg] "ssl_trusted_certificate" directive is duplicate in 
/etc/nginx/sites-enabled/example.com.conf:50
        nginx: configuration file /etc/nginx/nginx.conf test failed

Commenting out one of the 2 ssl_trusted_cert stanzas

    ssl_trusted_certificate   "/etc/letsencrypt/live/example.com/chain.ec.pem";
#    ssl_trusted_certificate   
"/etc/letsencrypt/live/example.com/chain.rsa.pem";

and rerunning the check, it passes.

In 'parallel' SSL mode, what's the correct usage for 'ssl_trusted_certificate'?

Do I use one (ec), the other (rsa), or do you have to concatenate BOTH into one 
crt?

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

ssl_trusted_certificate usage with parallel ECDSA / RSA certificates ?

Reply via email to