For the first time I try to use an SSL certificate in the Django project.

I take the certificate here (i.e., in fact, from letsencrypt ).

Generated certificate without CSR.

There are three files in the archif: ca_bundle.crt, certificate.crt, private.key.

Nginx gives 2 files: certificate.crt and private.key.

Everything works fine, with the exception of Android devices, when you log in from any Android browser, it gives an "error" as with a self-signed certificate.

Addition

ssl-checker returns, among other things, this:

The certificate is not trusted in all web browsers. You may need to install an Intermediate / Certificate.

I understand that you need to use the openssl utility, and do something with the file ca_bundle.crt, but I can’t find out what.

  • And if you just replace certificate.crt with ca_bundle.crt? - andreymal
  • With nginx -t it gives nginx: [emerg] SSL_CTX_use_PrivateKey_file ("/ var / www / site / private.key") failed (SSL: error: 0B080074: x509 certificate routines: X509_check_private_key: key values ​​mismatch) - Narnik Gamarnik
  • What exactly is not working? Vanguey that the android simply does not have the necessary root certificates. - Alexey Ten
  • Standard error, as if the certificate is self-signed. - Narnik Gamarnik
  • What kind of android? letsencrypt.org/docs/certificate-compatibility - Alexey Ten

1 answer 1

based on the file name and the information you provide, most likely in the ca_bundle.crt file an intermediate (intermediate ca) certificate is stored, with which your certificate is signed (sent to you in the certificate.crt file).

From these two files you need to form one, consisting of your certificate (must go first) and intermediate. then all http clients will be able to check the validity of your certificate.

the name of this file can be arbitrary (they often mention the domain name and the suffix .crt , only for convenience):

 $ (cat certificate.crt; echo; cat ca_bundle.crt) > ваш.домен.crt

and in the nginx configuration you will need to specify this file as a certificate:

 ssl_certificate /путь/к/файлу/ваш.домен.crt

Nginx gives 2 files: certificate.crt and private.key.

you did something wrong. The http-server should not just give them away. private.key course, there is nothing secret in the certificate files, but the file with the private key private.key must be kept “in secret”.

ps such a complex command with brackets and echo needed for a situation where the first file does not contain a newline at the end.

  • I put it wrong. By "giving", I meant the following: ssl_certificate /etc/ssl/certificate.crt; # <- ssl_certificate_key /etc/ssl/private.key; # <- - Narnik Gamarnik
  • Does the file have to be named the same as the domain name? What if the domain is Cyrillic? Call the file in punycode, or is it a recommendation, not a mandatory condition? - Narnik Gamarnik
  • one
    I wrote - the name is arbitrary. even bla.bla,bla! call him. the main thing is this name and specify it in the nginx configuration. - aleksandr barakin
  • Everything works fine. Thank you very much! The only caveat that after concatenation nginx will give an error: failed (SSL: error: 0906D066: PEM routines: PEM_read_bio: bad end line), because inside the file, the beginning and end are stuck ----- END CERTIFICATE ---------- BEGIN CERTIFICATE -----, and it is necessary that ---- END and ---- BEGIN must be on different rows - Narnik Gamarnik
  • one
    @NarnikGamarnik, I corrected the command to avoid this situation. - aleksandr barakin