Configure HTTPS certificate logging

Configure HTTPS certificate records for the official website, the first time
Of course, it should be recorded. This is the new official website themis official website

Don't talk too much. Get to the point

1) detours

After checking the configured nginx root certificate and secret key, https can be accessed normally

├── CACertificate-INTERMEDIATE-1.cer
├── CACertificate-ROOT-2.cer
├── themis.key
└── ServerCertificate.cer

This is what the boss gave me. The boss reminded me to establish a certificate chain and pay attention to the unsafe situation that mobile device access certificate will prompt.

At that time, I was still confused.
See the following configuration

Check your firewall terminal to execute iptables -L – line numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

As shown above, there is no interception. The main attention is port 443 interception

Configure nginx as follows

server {
    listen       443;
    server_name  localhost;
    ssl                  on;
    ssl_certificate      /etc/nginx/sslcer/CACertificate-ROOT-2.cer;
    ssl_certificate_key      /etc/nginx/sslcer/themis.key;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;
    ssl_prefer_server_ciphers   on;
    location / {
     root   /data/www/themiswww;
     index  index.html index.htm;

Terminal execution nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

The secret key and server certificate match correctly
Visit https normal

Then I found that the mobile device did prompt that the certificate was not trusted

The terminal executes openssl s_client -connect

I found a hint

verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=27:certificate not trusted
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
 0 s:/businessCategory=Private.../
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G3
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign

Final solution generate certificate chain
The terminal executes cat servercertificate.cer cacertificate-intermediate-1.cer cacertificate-root-2.cer > cacertificate-root-1.pem

Replace CACertificate-ROOT-2.cer in nginx configuration with CACertificate-ROOT-1.pem

Then execute openssl s_client -connect again

Certificate chain
 0 s:/CN=*
   i:/C=US/O=DigiCert Inc/ RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/ RSA CA 2018
   i:/C=US/O=DigiCert Inc/ Global Root CA
 2 s:/C=US/O=DigiCert Inc/ Global Root CA
   i:/C=US/O=DigiCert Inc/ Global Root CA
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 512F18AE435BD0A126FE08BA6EC3A1D6343C4A2835B1C6F15B01C5E15B0BBFF0
    Master-Key: F86C0D5F7DF4DC436442CAE41CB6843769089AF5EC025525469ABD0461E612B63F530A55C35AA073EDE9C51BDF97A06D
    Key-Arg   : None
    Start Time: 1522068649
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


Keywords: Nginx Session Mobile SSL

Added by turdferguson on Wed, 01 Apr 2020 17:01:47 +0300