From 21045d8cf00d90e982b846d8c7b67b656e74d8f9 Mon Sep 17 00:00:00 2001 From: Greg Price Date: Mon, 16 Apr 2018 11:29:19 -0700 Subject: [PATCH] prod docs: Call out more the need for a chained cert bundle. This is kind of easy to gloss over, especially with the framing as a "format"; surely if things work at all, the file format must have been right, right? It's really a bit more substantive than that; say so and also add a bit more description. --- docs/production/ssl-certificates.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/production/ssl-certificates.md b/docs/production/ssl-certificates.md index 0508f1c796..eb0d1e2ba2 100644 --- a/docs/production/ssl-certificates.md +++ b/docs/production/ssl-certificates.md @@ -13,10 +13,14 @@ If you already have an SSL certificate, just install (or symlink) its files into place at the following paths: * `/etc/ssl/private/zulip.key` for the private key * `/etc/ssl/certs/zulip.combined-chain.crt` for the certificate. - Because Zulip uses nginx as its web server, this should be in the - format of a [chained certificate bundle][nginx-https]. -[nginx-https]: http://nginx.org/en/docs/http/configuring_https_servers.html +Your certificate file should contain not only your own certificate but +its full chain, including any intermediate certificates used by your +CA. See the [nginx documentation][nginx-chains] for details on what +this means and how to do it and test it. If you're missing part of +the chain, your server may work with some browsers but not others. + +[nginx-chains]: http://nginx.org/en/docs/http/configuring_https_servers.html#chains ## Certbot (recommended)