У меня есть следующий сертификат (первый - мой собственный, два других - от Comodo PositiveSSL):
-----BEGIN CERTIFICATE-----
MIIFWTCCBEGgAwIBAgIPPZlYpZLvxHV+Rsy+qSD/MA0GCSqGSIb3DQEBCwUAMIGQ
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE2MDQGA1UE
AxMtQ09NT0RPIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTE1MDIwODAwMDAwMFoXDTIwMDIwNzIzNTk1OVowVjEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQLEwtQb3NpdGl2ZVNTTDEbMBkG
A1UEAxMSdGllbmRhZ2FuYWRlcmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAv7cwKm7ssjSakyeRFrYi303RnGbnif3+mmfyGCWRCtmmbZpxTrFg
CVhFJwcuD0Gd4JkwPXk7GOuY93mhT+Zry1gDCSrAZpaSshV+Osg8bC4DJmil/ZBe
/HF2pH0j7XajyYYZjLUQgY8NAuCAW62ArgUL1oBQTZfH1EMM4HSYHoy4so437Glp
SwsCQnePokdyMnx/4Y9uPxkC7nZiJr1n6Ue7thXGTkayxsw9sdeBBsG/fk42U/nW
JAINeRRM+5BKGqyj5tOINDUMAC+4XAAibVnnvFuvhInQ4t6pmP34vigkhXkpgp/6
IoA31BXT7SP1FK/AI3CaymO/PbF3AsBbdQIDAQABo4IB5zCCAeMwHwYDVR0jBBgw
FoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFIdRYyYSTjLGCYxfU/wO
0+j0SFMbMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCsw
KQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeB
DAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9D
T01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggr
BgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA1BgNVHREELjAsghJ0
aWVuZGFnYW5hZGVyYS5jb22CFnd3dy50aWVuZGFnYW5hZGVyYS5jb20wDQYJKoZI
hvcNAQELBQADggEBACFMKXGU1ECzff4ORsJMM9tCHYijcrxLNddP7acCFGwhkj3D
7Z3w2drDTYlVEIr84S+4w4QW61LvalwoFo2M0jjTabnsOM323VppPTyXvIUN0nZP
q/IVPtDTVOXgz7bbGDCXCkza2PXBRVvGgr+MhUmZ5OkHsnwU5BB9BXoX3rAS1ZSP
dhf1g3QYLekz14p53gtcBxbiqQVlLTyjJM/4qlDuRSQrysK665H42x7pch+i4VOn
b/5NE85soX/QToKP+cE+rF2DWb6jFjYvUcuh2hHKwRd4gg923S5XWsxsHHCHppcG
4ZZ/CmpDTpxxq61IA5aqYEKrlhKaWBkT6GV+tZ4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw
AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6
2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr
ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt
4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq
m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/
vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT
8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE
IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO
KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO
GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/
s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD
AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy
bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ
zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj
Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY
Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx
PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
pu/xO28QOG8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
И следующая конфигурация nginx:
server {
listen 80 default_server;
server_name tiendaganadera.com www.tiendaganadera.com;
root /var/www/tiendaganadera.com;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
index index.php;
}
# redirect server error pages to the static page /40x.html
#
error_page 404 /404.html;
location = /40x.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
rewrite ^/tienda/(.*)$ /$1 permanent;
if ($request_uri ~ /(Smarty-2.6.19|payment|admin|provider|partner)/) {
break;
}
if ($request_uri ~ \.(gif|jpe?g|png|js|css|swf|php|ico)$) {
break;
}
if (!-e $request_filename) {
rewrite ^(.*)$ /dispatcher.php last;
}
}
server {
listen 443 default ssl;
server_name tiendaganadera.com www.tiendaganadera.com;
root /var/www/tiendaganadera.com;
ssl on;
ssl_certificate /etc/nginx/ssl/tiendaganadera.com.crt;
ssl_certificate_key /etc/nginx/ssl/tiendaganadera.com.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
index index.php;
}
# redirect server error pages to the static page /40x.html
#
error_page 404 /404.html;
location = /40x.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
rewrite ^/tienda/(.*)$ /$1 permanent;
if ($request_uri ~ /(Smarty-2.6.19|payment|admin|provider|partner)/) {
break;
}
if ($request_uri ~ \.(gif|jpe?g|png|js|css|swf|php|ico)$) {
break;
}
if (!-e $request_filename) {
rewrite ^(.*)$ /dispatcher.php last;
}
}
Но я запускаю openssl s_client -connect tiendaganadera.com:443 -servername tiendaganadera.com, и он выводит:
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = tiendaganadera.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = tiendaganadera.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = tiendaganadera.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=tiendaganadera.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFWTCCBEGgAwIBAgIPPZlYpZLvxHV+Rsy+qSD/MA0GCSqGSIb3DQEBCwUAMIGQ
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE2MDQGA1UE
AxMtQ09NT0RPIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTE1MDIwODAwMDAwMFoXDTIwMDIwNzIzNTk1OVowVjEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQLEwtQb3NpdGl2ZVNTTDEbMBkG
A1UEAxMSdGllbmRhZ2FuYWRlcmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAv7cwKm7ssjSakyeRFrYi303RnGbnif3+mmfyGCWRCtmmbZpxTrFg
CVhFJwcuD0Gd4JkwPXk7GOuY93mhT+Zry1gDCSrAZpaSshV+Osg8bC4DJmil/ZBe
/HF2pH0j7XajyYYZjLUQgY8NAuCAW62ArgUL1oBQTZfH1EMM4HSYHoy4so437Glp
SwsCQnePokdyMnx/4Y9uPxkC7nZiJr1n6Ue7thXGTkayxsw9sdeBBsG/fk42U/nW
JAINeRRM+5BKGqyj5tOINDUMAC+4XAAibVnnvFuvhInQ4t6pmP34vigkhXkpgp/6
IoA31BXT7SP1FK/AI3CaymO/PbF3AsBbdQIDAQABo4IB5zCCAeMwHwYDVR0jBBgw
FoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFIdRYyYSTjLGCYxfU/wO
0+j0SFMbMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCsw
KQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeB
DAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9D
T01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggr
BgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA1BgNVHREELjAsghJ0
aWVuZGFnYW5hZGVyYS5jb22CFnd3dy50aWVuZGFnYW5hZGVyYS5jb20wDQYJKoZI
hvcNAQELBQADggEBACFMKXGU1ECzff4ORsJMM9tCHYijcrxLNddP7acCFGwhkj3D
7Z3w2drDTYlVEIr84S+4w4QW61LvalwoFo2M0jjTabnsOM323VppPTyXvIUN0nZP
q/IVPtDTVOXgz7bbGDCXCkza2PXBRVvGgr+MhUmZ5OkHsnwU5BB9BXoX3rAS1ZSP
dhf1g3QYLekz14p53gtcBxbiqQVlLTyjJM/4qlDuRSQrysK665H42x7pch+i4VOn
b/5NE85soX/QToKP+cE+rF2DWb6jFjYvUcuh2hHKwRd4gg923S5XWsxsHHCHppcG
4ZZ/CmpDTpxxq61IA5aqYEKrlhKaWBkT6GV+tZ4=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=tiendaganadera.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2043 bytes and written 402 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 48003BE87D4EA04D8F60A4838BF7CC4B0FAA821A4ABF2347726E9D86BAAFEC8F
Session-ID-ctx:
Master-Key: CB66470AC61552D63B68EB78678A210CC1AFF4175B25E4FEFB6A9A416CA4FE0A191487F3EE432B4FB88FF3E171A46452
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 67 37 af 40 7d b4 06 5e-92 ed 10 a1 eb cf fd c8 g7.@}..^........
0010 - 4d a4 b7 1a 39 e0 04 e4-dc b5 c0 65 aa 60 0e f7 M...9......e.`..
0020 - 86 91 24 b3 d8 54 48 47-12 94 02 ae 0a 4f e7 d0 ..$..THG.....O..
0030 - 63 1a c6 56 59 b0 a2 74-73 57 9d b5 76 b8 04 39 c..VY..tsW..v..9
0040 - 88 fb 4f bb 6b a6 e2 c2-92 a3 36 22 d1 7c 51 8f ..O.k.....6".|Q.
0050 - 9a e6 ab 94 a5 a5 51 6d-0a 8c 6d 24 af 9b ac 9b ......Qm..m$....
0060 - 0e 57 d6 27 94 86 9f 09-b3 54 7a b5 00 30 19 6d .W.'.....Tz..0.m
0070 - 4c 25 67 45 f5 74 e7 24-c7 02 bc c0 8f 10 38 76 L%gE.t.$......8v
0080 - 20 98 7e e6 05 f8 1d da-68 aa b2 66 3d f9 2b 5b .~.....h..f=.+[
0090 - cf 6b 6f 7f d7 1e f2 77-7c b9 8b 32 0a 6d 8a 18 .ko....w|..2.m..
00a0 - 99 61 ce b1 a3 ce 97 aa-6b 4e 32 06 eb 14 67 9f .a......kN2...g.
Start Time: 1423599873
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Таким образом, очевидно, что nginx отправляет только первую. Это почему?
В вашем списке есть следующие сертификаты (в указанном порядке):
#L Subject: ... CN=tiendaganadera.com
Issuer: ... CN=COMODO RSA Domain Validation Secure Server CA
#A Subject: ... CN=COMODO RSA Certification Authority
Issuer: ... CN=AddTrust External CA Root
#B Subject: ... CN=COMODO RSA Domain Validation Secure Server CA
Issuer: ... CN=COMODO RSA Certification Authority
#R Subject: ... CN=AddTrust External CA Root
Issuer: ... CN=AddTrust External CA Root
Очевидно, порядок не совпадает. Первый сертификат №L правильно является листовым сертификатом. Но следующий сертификат #A не подписывает #L, как вы можете видеть из того факта, что тема #A не соответствует издателю #L. Вместо этого #B подписывает #L и #A подписывает #B и #R подписывает #A. #R - это корневой сертификат, который вообще не следует включать.
Исправить: