sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking

Question

Hi All,

We are trying to configure the SSL for elastic bean stack environment with SSL termination at nginx, its a single instance environment with no LB. The url domain is elasticbeanstalk.com but we are using a digicert certificate,  https://aws12kk.eba-tazmh9pp.us-west-2.elasticbeanstalk.com/ but the certificate is digicert signed wild card certificate. when tried accessing via browser we are getting the below error.
*2 SSL_do_handshake() failed (SSL: error:0A000416:SSL routines::sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking
SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking

Tried enabling ssl_client_certificate /etc/nginx/ssl/client-ca.crt and ssl_verify_client option ; or ssl_client_certificate /etc/nginx/ssl/client-ca.crt;
ssl_verify_client off; returns the same exception.

Any suggestion?

Didier Durand · Answer

Hi,

Nginx has a specific way of implementing / using SSL certificates, which may lead to error like yours.

I'd recommend to read https://marcosantonocito.medium.com/steps-to-install-a-go-daddy-ssl-certificate-on-nginx-on-ubuntu-14-04-ff942b9fd7ff to understand the potential issues.

(You'll have to fix the TLS version in sample code to mach your version)

Best,

Didier

Gary Mclean · Answer

The error message "SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46" can occur for a number of reasons, including:

* The server doesn't trust the certificate used on the Virtual Directory Server 
* The machine name in the certificate doesn't match the machine name used by the client 
* The certificate is expired, invalid, or not trusted by one or more systems

sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking

Add your answer

Relevant content