Monthly Archives:: May 2011

Nginx SSL certificate error message “key values mismatch”

Posted by & filed under Server Admin.

When setting up a SSL certificate and chain file for Nginx, you need to combine them into one file. If you combine them in the wrong order you’ll get a message similar to the following.


SSL_CTX_use_PrivateKey_file(" ... /www.nginx.com.key") failed
(SSL: error:0B080074:x509 certificate routines:
X509_check_private_key:key values mismatch)

This means you either didn’t combine them or you combined them in the wrong order. To combine the two together just do something like this.


cat www.example.com.crt www.certificatechain.com.ca > www.example.com.combined.crt

Now you’ll be happy as a lark.

Understanding the Nginx map directive

Posted by & filed under Server Admin.

When switching to Nginx I needed to have a variable that signified if the site was in HTTP or HTTPS mode. So I found this little bit of code.

map $scheme $fastcgi_https { ## Detect when HTTPS is used
default off;
https on;
}

This works great, but I really didn’t understand it until now so let’s take it line by line.

Line 1


map $scheme $fastcgi_https { ## Detect when HTTPS is used

This is where all the glory happens. $scheme is an internal variable within Nginx and is either HTTP or HTTPS (maybe some other ones in the future like SPDY). Then you have $fastcgi_https, this is the name of the variable we’re creating for future use in our config files. Nothing but comments after that stuff.

Line 2 and 3


default off;
https on;

This is our map of values. When Nginx’s $sheme variable is equal to “HTTPS”, then the $fastcgi_https variable will equal “on”, otherwise the variable just equals “off”.

Not too complex, but I just didn’t pick up on the format until now. Read more at
http://wiki.nginx.org/HttpMapModule

The SetEnv equivalent in Nginx for setting environmental variables.

Posted by & filed under Server Admin.

If you need to pass some environment variables to your application from Nginx, you’ll need to specify them in the config file like so.


fastcgi_param APPLICATION_ENV staging;

So for example a more full config for a Zend Framework application


server {
listen 443 default ssl;
listen 80 default;
ssl_certificate /etc/pki/tls/certs/cert.crt;
ssl_certificate_key /etc/pki/tls/private/cert.key;

keepalive_timeout 70;

root /var/www/mysite/public
access_log /var/log/nginx/mysite.access.log main;
index index.php;

location / {
try_files $uri $uri/ /index.php?$args;
}

# set a nice expire for assets
location ~* "^.+\.(jpe?g|gif|css|png|js|ico|pdf|zip|tar|t?gz|mp3|wav|swf)$" {
expires max;
add_header Cache-Control public;
}

location ~* \.php {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 600;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param APPLICATION_ENV staging;
}

}

There you have it. Go and do likewise.