dt.iki.fi

Upgrading a CAcert.org Server Certificate (nginx)

Please don't ask me to consider anything else; I choose CAcert even though it isn't "trusted". But what use is trust that can be bought with $$$? CAcert are certainly trustworthy in my opinion. If you think so too you might want to import their root certificate from this page. I also wrote an article about https explaining (amongst other things) why I reject that other certificate provider that everybody seems to use nowadays.

I am using a CAcert certificate for HTTPS access to my website. I already created an account with them and verified my domain. My nginx server is SSL-enabled.

In fact I already have a CAcert certificate, but it ran out a long time ago.

I am assuming that upgrading the certificate is the same as installing a new one.

The CAcert wiki is labyrinthine, but I was able to make out this tutorial after a short time.

Create & change into a dedicated directory for doing the following things. Presumably something under /etc that isn't going to be used by other software.
Following the tutorial, I ran:

openssl req -newkey rsa:4096 -subj /CN=www.example.org -nodes -keyout example_key.pem -out example_csr.pem

changing only "www.example.org" to my domain.

And so on, following the tutorial step-by-step.

I did not move the files anywhere else when asked to do so, but I did move the certificate request example_csr.pem to a subdirectory. It gets confusing otherwise.

When downloading the attached CAcert_chain.pem I had to convert its line endings from Windows to Unix!!!
Every self-respecting Linux editor can do that. Try geany. Or some command line tool (dos2unix iirc?).

That said I haven't tried using it as it is.

The tutorial ends with Apache configuration. I had some difficulty with it because nginx does things differently.

For a complete explanation of how to configure an nginx https server, go here.

In the end I used only two files. Here's part of my nginx site configuration:

ssl_certificate /etc/something/example_cert.pem;
ssl_certificate_key /etc/something/example_key.pem;

There's an option to concatenate a certificate bundle with the certificate I received from cacert. I assume the bundle is CAcert_chain.pem and corresponds to the last line of the apache config example.
So I tried

cat example_cert.pem CAcert_chain.pem > example_cert.chained.pem

and pointed ssl_certificate to the resulting file in my nginx site config.

But it does not seem to make any difference; either way, my website's certificate is seen as untrusted until i click on the first link from the root certificate page and allow my browser to use it.