+1 vote
ago by
Hello! How to configure Nginx 1.8.0 with the WoSign certificate to get A+? Debian 7. Set up according to the instructions with Habra and this blog . When checking get maximum B. One of the recommendations about the intermediate certificate. I tried to specify only it - the same result. Thank you

4 Answers

0 votes
ago by
 
Best answer
Here so ?

Well, here's an example from my config.
A+, as you can see in the test.

add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl on;
ssl_protocols TLSv1.2;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_session_cache shared:SSL:10m;
ssl_verify_client off;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1;
ssl_dhparam /path/to/dh.key;
ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;
ssl_trusted_certificate /path/to/ssl.bundle;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_responder http://ocsp2.wosign.cn/ca2g2/server1/free;
resolver 8.8.8.8;
ssl_session_tickets on;
ssl_session_ticket_key /path/to/ticket.key;
0 votes
ago by
I got from Vocin two files for Nginx:

1_domen.ru_bundle.crt
2_domen.EN.key

Do I understand that they have to refer here:
ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/ssl.key;

What to specify here? :
ssl_dhparam /path/to/dh.key;
ssl_trusted_certificate /path/to/ssl.bundle;

Sorry for nobska questions - I'm just learning. And confused.
ago by
>bundle to make of the two you received from WoSign with the cat It was a key moment! A+ thank you very much! Trusted certificate is always done by merging the two sent from the Registrar? Or just in this case?
ago by
dh generate
openssl dhparam -out dh.key 4096
bundle to make of the two you received from WoSign with cat

Use my config, check will receive A+, mark my answer as solution :)
ago by
averuga : well I have worked out A, so I think that the problem was not just that.

ssl_trusted_certificate
This is a path to a file where CA certificates are concatenated. For ssl_stapling_verify to work, this file must contain the Root CA cert and the Intermediate CA certificates.
0 votes
ago by
But was interested. Reliable are these certificates? Enabled browsers?
ago by
Support for all modern browsers. Above I made a test on their website, in the test can check address, check all your browsers and check.
0 votes
ago by
...