A
A
Anton2018-06-21 19:17:09
Digital certificates
Anton, 2018-06-21 19:17:09

How to deal with certificates?

Before me are two instructions
https://dev.1c-bitrix.ru/learning/course/?COURSE_I...
https://www.acrit-studio.ru/pantry-programmer/bitr...

they are talking about two files
.key and domain_ru.crt

Question - what other files are involved? These:
domain_ru.ca-bundle and .csr

In chrome, everything works, in Mozilla it swears.
It is not clear, the key and csr file in the name are numbers, should they be renamed?
And it's not entirely clear whether some files need to be combined in a text editor?

now entered like this:
bx/conf/site1.bx_ssl.conf

# If they come here using HTTP, bounce them to the correct scheme
# Nginx internal code used for the plain HTTP requests 
# that are sent to HTTPS port to distinguish it from 4XX in a log and an error page redirection.
error_page 497 https://$host$request_uri;

# Increase keepalive connection lifetime
keepalive_timeout	70;
keepalive_requests	150;

# SSL encryption parameters
ssl			on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

#ssl_certificate		/etc/nginx/ssl/cert.pem;
ssl_certificate /etc/nginx/ssl/domain_ru.crt;
#ssl_certificate_key	/etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/6817054.key;
# performance
ssl_session_cache	shared:SSL:10m;
ssl_session_timeout	10m;
 ssl_stapling on;
  ssl_stapling_verify on;
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

and
server {
     listen 443 ssl;
  server_name domain.ru www.domain.ru;
    # Enable SSL connection
include	bx/conf/site1.bx_ssl.conf;
    server_name_in_redirect	off;

    proxy_set_header	X-Real-IP	$remote_addr;
    proxy_set_header	X-Forwarded-For	$proxy_add_x_forwarded_for;
    proxy_set_header	Host		$host:443;
    proxy_set_header	HTTPS 		YES;

    set $proxyserver	"http://127.0.0.1:8888";
    set $docroot		"/home/bitrix/www";

    index index.php;
    root /home/bitrix/www;

    # Include parameters common to all websites
    include bx/conf/bitrix.conf;

    # Include server monitoring API's
    include bx/server_monitor.conf;

  }

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Anton, 2018-06-21
@anton99zel

I will answer myself - you need to combine the complete chain in the reverse order of all certificates into one file

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question