Nginx SSL Replacement problem

The company used a free STARTSSL certificate, I heard that iOS do not trust these free verification of the non-strict certificate, the company decisively purchased a wildcard domain name certificate, in fact, do not seem to have nothing to do, mainly to submit the app when you have to explain the reason, the possibility of rejection is relatively large.

Before replacing the certificate, think about keeping the original free certificate, and then use the new domain name to do the test. Result the new domain name uses the new certificate, the test package always does not pass

I wonder how it is not, to the online search for the problem is that the use of TLS1, and iOS requirements are TLS1.2. But modify Nginx configuration, and recompile the Nginx upgrade OpenSSL version

server {   listen       443 SSL;   Include   ex_ssl.conf;   server_name  www.ex.com;      Ssl_session_cache shared:ssl:1m;      Ssl_session_timeout 10m;      Ssl_prefer_server_ciphers on  ;      Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;      Ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:! null:!anull:! md5:! Adh:! RC4;
....
}

Ex_ssl.conf

SSL On;ssl_certificate/path/to/crt/ex.com.crt;ssl_certificate_key/path/to/crt/ex.com.key;

And it's definitely not a problem with CRT files and keys.

Tried a lot of methods after using a command, only to find that the strange location

Fortunately, this order saved my life!

OpenSSL S_client-connect you.domain.com:443

This command can view the contents of your certificate

See later see, although I used a new domain name, but after parsing, Nignx still match to the old domain name of the server. The certificate content is that Apple does not trust the certificate, that is, should not support TLS1.2, even if I configured TLS1.2, or go TLS1

~ OpenSSL S_client-connectNew. domain.com:443CONNECTED (00000003) Depth=2/c=cn/o=wosign CA limited/cn=CA \xe6\xb2\x83\xe9\x80\x9a\xe6\xa0\xb9\xe8\xaf\x81\xe4\xb9\xa6verify error:num= -: Unable toGetLocal issuer Certificateverifyreturn:0---Certificate Chain0s:/cn=old.domain.com.cn I:/c=cn/o=wosign CA limited/cn=CA \xe6\xb2\x83\xe9\x80\x9a\xe5\x85\x8d\xe8\xb4\xb9ssl\xe8\xaf\x81\xe4\xb9\xa6 G21S:/c=cn/o=wosign CA limited/cn=CA \xe6\xb2\x83\xe9\x80\x9a\xe5\x85\x8d\xe8\xb4\xb9ssl\xe8\xaf\x81\xe4\xb9\xa6 G2 i:/c=cn/o=wosign CA limited/cn=CA \xe6\xb2\x83\xe9\x80\x9a\xe6\xa0\xb9\xe8\xaf\x81\xe4\xb9\xa62S:/c=cn/o=wosign CA limited/cn=CA \xe6\xb2\x83\xe9\x80\x9a\xe6\xa0\xb9\xe8\xaf\x81\xe4\xb9\xa6 I:/c=il/o=startcom ltd./ou=secure Digital Certificate signing/cn=startcom Certification Authority---Server Certificate-----BEGIN CERTIFICATE-----MIIE2JCCA8KGAWIBAGIQWIVBLAJ1ZLJ0SIUTWM+HYTANBGKQHKIG9W0BAQSFADBPMQSWCQYDVQQGEWJDTJEAMBGGA1UECHMRV29TAWDUIENBIEXPBWL0ZWQXJDAIBGNVBAMMG0NBIOAYG+Mamuwfjei0uvnttoivges5pibhmjaefw0xnja1mtawnzqxmtrafw0xoda1mtawnzqxmtramb4xhdaabgnvbamme3bhes5za3l4bgluay5jb20uy24wgge Ima0gcsqgsib3dqebaquaa4ibdwawggekaoibaqc5qpsw1whnrnjtlb2nfl6f18o3/pb2haf7tjtdr6iqkej/tiuuqtg2jyg+Yhqcjtsjuwjk4wfkjynharfkgcrulmpvydr/fl8q0vbcj7st8kwj1u61/fcgufxxktaxxrrmtvf7eopqazbw/yzzm6lnp0vsmnthfaiw1m4vxesb12dljiigovsdgc8w+blcb1zwp/tnh65/0grol2dc9io/y2e2ealfyxbhqxjegjhy6jam1l/hn8ykp9jrjxwkg4k7xmdrsdu36/9vbq5mgay0vrndxzpcvmgw00mblcyr149f9z4omadhh8suui/otebevld62uos5eg/Wtmv1p2zagmbaagjgghhmiib3taobgnvhq8baf8ebamcbaawhqydvr0lbbywfayikwybbquhawigccsgaqufbwmbmakga1udewqcmaawhqydvr0obbyef Hgm8y6dmdkihxyvyuezzlltvpxgmb8ga1udiwqymbaafddadibzkjbwntcxmck9wc2tejkdmh8gccsgaqufbwebbhmwcta1bggrbgefbqcwayypahr0cdovl2 9jc3aylndvc2lnbi5jbi9jytjnmi9zzxj2zxixl2zyzwuwoayikwybbquhmakglgh0dha6ly9haweylndvc2lnbi5jbi9jytjnmi5zzxj2zxixlmzyzwuuy2v Ymd4ga1udhwq3mduwm6axoc+Glwh0dha6ly9jcmxzmi53b3npz24uy24vy2eyzzitc2vydmvyms1mcmvllmnybdbpbgnvhreesdbgghnwyxkuc2t5egxpbmsuy29tlmnughrzemr6lnnr Exhsaw5rlmnvbs5jboizy2fjagvzemr6lnnrexhsaw5rlmnvbs5jbjbpbgnvhsaesdbgmaggbmebdaecata6bgsrbgeeaykbuqebajarmckgccsgaqufbwibf h1odhrwoi8vd3d3lndvc2lnbi5jb20vcg9sawn5lzanbgkqhkig9w0baqsfaaocaqeafro81c/5q3bkbslycxtooynh2w2xlyps3zaojloo/Cr9qackocqj2kbpoxfgbunlvma9s5n9dzw3c3ltfpdi1hozxyjfsfv0jkk58jbc6vkhs/jvccltxqar5jm+9qohkupgmon69fzg9z16ihbt/Dxstalj/dc4p9c9lw132hmmjonks6o4+ipo/z9/zri+ekcr8iogebzih7/50nibw++Losznbsckotnwqvher4zflahdopumluw8kxtaj9+hflk3sb9bz+Srudopu9durzhxyyho37hluizwnu/j4ykzjehys52dk+tbsoxz5yisik92kiy8ila728qmpsilsq==-----END CERTIFICATE-----subject=/cn=Old.domain.com.cnissuer=/c=cn/o=wosign CA limited/cn=CA \xe6\xb2\x83\xe9\x80\x9a\xe5\x85\x8d\xe8\xb4\xb9ssl\xe8\xaf\x81\xe4\xb9\xa6 G2---No client certificate CA names sent---SSL handshake has read theBytes and written328bytes---New, TLSv1/sslv3, Cipher isdhe-rsa-aes256-Shaserver PublicKey is 2048bitsecure renegotiation is SupportedCompression:NONEExpansion:NONESSL-Session:Protocol:TLSv1. <----------look at this cipher:dhe .-rsa-aes256-SHA Session-id:692236b3dbeb590216bdfc115f4ff2b1aebfb282d0205e25fe8e85078c72c64f Session-id-Ctx:master-key:0a72976bda8d92331c5873e49953c900c09af680ef206522623d1424cc31a93d18964d771659af9da411188ef0d95c98 Key -arg:none Start Time:1482845223Timeout: -(sec) VerifyreturnCode0(OK)---

Command Results

OK, we can deal with this problem. Hope can be solved!

　　

Nginx SSL Replacement problem