NGINX SSL Certificate Configuration

From TYO Lab Wiki
Jump to: navigation, search

We can get a SSL certificate for a very reasonable price these days. It normally come with three files:

  • yourdomain.crt,
  • yourdomain.key,
  • yourdomain.pem

A CRT file is the public key file; a key file contains your domain's private key; and the pem file normally has your CA's information (often intermediate certificate).


The basic configuration for the SSL certificate in NGINX looks like the following:

        ssl                     on;
        ssl_certificate         /path/to/yourdomain.crt;
        ssl_certificate_key     /path/to/yourdomain.key;

Possible Errors[edit]

However, the configuration above may not be enough as you may encounter an error when you try to verify your server's certificate with OpenSSL, or connect to your server with NodeJS. The error information will look like as follows:


      throw er; // Unhandled 'error' event

Error: unable to verify the first certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1065:38)
    at emitNone (events.js:80:13)
    at TLSSocket.emit (events.js:179:7)
    at TLSSocket._init.ssl.onclienthello.ssl.oncertcb.TLSSocket._finishInit (_tls_wrap.js:593:8)
    at TLSWrap.ssl.onclienthello.ssl.oncertcb.ssl.onnewsession.ssl.onhandshakedone (_tls_wrap.js:425:38)


verify error:num=21:unable to verify the first certificate
verify return:1



cat yourdomain.pem >> yourdomain.crt


        ssl                     on;
        ssl_certificate         /path/to/yourdomain.crt;
        ssl_certificate_key     /path/to/yourdomain.key;
        ssl_verify_depth 2;
       ssl_client_certificate /path/to/ca-bundle.crt; # all CA