<div dir="ltr">Great! But normally you wouldn't need to include the Root in your chain, that will just bloat up the TLS handshake for no good reason.</div><br><div class="gmail_quote"><div dir="ltr">On Fri, Dec 30, 2016 at 4:05 PM Frank Muller <<a href="mailto:frank.muller.erl@gmail.com">frank.muller.erl@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">Hi again Ali</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">It worked ;-)</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">Here’s what ‘I’ve done:</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">1. Concatenate them by reversing the lexicographical order:</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">$ cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > cacert.pem</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">2. cp STAR_company_com.crt cert.pem</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">3. cp company.key key.pem</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">Then, cowboy was happy with these settings:</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">[ {cacertfile, "cacert.pem »},</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"> {certfile, "cert.pem »},</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"> {keyfile, "key.pem"} ]</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">And now, « curl » isn’t complaining anymore ;-)</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">Thank you. You made my day.</span></div><div class="gmail_msg"><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">/Frank</span></div><div class="gmail_msg"><font face="UICTFontTextStyleBody" class="gmail_msg"><span style="font-size:17px" class="gmail_msg"><br class="gmail_msg"></span></font><div class="gmail_quote gmail_msg"><div class="gmail_msg">Le ven. 30 déc. 2016 à 15:58, Ali Sabil <<a href="mailto:ali.sabil@gmail.com" class="gmail_msg" target="_blank">ali.sabil@gmail.com</a>> a écrit :<br class="gmail_msg"></div><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg"><div class="gmail_quote gmail_msg"><div class="gmail_msg">On Fri, Dec 30, 2016 at 3:46 PM Frank Muller <<a href="mailto:frank.muller.erl@gmail.com" class="gmail_msg" target="_blank">frank.muller.erl@gmail.com</a>> wrote:<br class="gmail_msg"></div><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">Hi Ali,</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">This what’s included in the Zip:</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">AddTrustExternalCARoot.crt</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">COMODORSAAddTrustCA.crt</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">COMODORSADomainValidationSecureServerCA.crt</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">STAR_company_com.crt</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">company.key</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">> 1. your certificate (foo_com.crt)</span></div><div class="gmail_msg"><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">So STAR_company_com.crt is my certificate.</span></div><div class="gmail_msg"><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></div></blockquote><div class="gmail_msg"><br class="gmail_msg"></div></div></div><div class="gmail_msg"><div class="gmail_quote gmail_msg"><div class="gmail_msg">Yes, exactly </div></div></div><div class="gmail_msg"><div class="gmail_quote gmail_msg"><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"> </div><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">> 2. a set of intermediary certificates (intermediate1.crt, intermediate2.crt)</span></div><div class="gmail_msg"></div><div class="gmail_msg"><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">How do i know which one is the latest ... to build the intermediary certificate chain in this case?</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">They're not numbered.</span></div><div class="gmail_msg"><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></div></blockquote><div class="gmail_msg"><br class="gmail_msg"></div></div></div><div class="gmail_msg"><div class="gmail_quote gmail_msg"><div class="gmail_msg">For Comodo, `<font face="monospace" class="gmail_msg">AddTrustExternalCARoor.crt</font>` is the root certificate, followed by `<font face="monospace" class="gmail_msg">COMODORSAAddTrustCA.crt</font>` and then `<font face="monospace" class="gmail_msg">COMODORSADomainValidationSecureServerCA.crt</font>`</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">so your chain will be:</div><div class="gmail_msg"><font face="monospace" class="gmail_msg"> cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > chain.crt</font></div></div></div><div class="gmail_msg"><div class="gmail_quote gmail_msg"><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"> <br class="gmail_msg"></div><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">> 3. the root certificate (root.crt)</span></div><div class="gmail_msg"></div><div class="gmail_msg"><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">What this one is useful for?</span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></span><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"></div></blockquote><div class="gmail_msg"><br class="gmail_msg"></div></div></div><div class="gmail_msg"><div class="gmail_quote gmail_msg"><div class="gmail_msg">The root certificate (<span style="font-family:monospace" class="gmail_msg">AddTrustExternalCARoor.crt</span> in your case) is useful for things like OCSP stapling as far as I know, which I don't think is implemented in Erlang SSL.</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">If I am not mistaken, the Erlang SSL configuration is very similar to Apache.</div></div></div><div class="gmail_msg"><div class="gmail_quote gmail_msg"><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"> </div><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">Thank you.</span></div><div class="gmail_msg"><br style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg"><span style="font-family:UICTFontTextStyleBody;font-size:17px" class="gmail_msg">/Frank</span></div><div class="gmail_msg"><font face="UICTFontTextStyleBody" class="gmail_msg"><span style="font-size:17px" class="gmail_msg"><br class="gmail_msg"></span></font><div class="gmail_quote gmail_msg"><div class="gmail_msg">Le ven. 30 déc. 2016 à 13:03, Ali Sabil <<a href="mailto:ali.sabil@gmail.com" class="gmail_msg" target="_blank">ali.sabil@gmail.com</a>> a écrit :<br class="gmail_msg"></div><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg">Hi Frank,<div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">I don't remember the exact details, but you should have received a zip file with a set of certificates. This zip file should contain</div><div class="gmail_msg">1. your certificate (foo_com.crt)</div><div class="gmail_msg">2. a set of intermediary certificates (intermediate1.crt, intermediate2.crt)</div><div class="gmail_msg">3. the root certificate (root.crt)</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">You will need to concatenate all the intermediaries starting from the last one into what's called a intermediary certificate chain:</div><div class="gmail_msg"> <font face="monospace" class="gmail_msg">cat intermediate2.crt intermediate1.crt > chain.crt</font></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">The configuration of cowboy is then done using the `<font face="monospace" class="gmail_msg">certfile</font>` and `<font face="monospace" class="gmail_msg">cacertfile</font>` options, for example:</div><div class="gmail_msg"><font face="monospace" class="gmail_msg"> [</font></div><div class="gmail_msg"><font face="monospace" class="gmail_msg"> {certfile, "foo_com.crt"},</font></div><div class="gmail_msg"><font face="monospace" class="gmail_msg"> {cacertfile, "chain.crt"}</font></div><div class="gmail_msg"><span style="font-family:monospace" class="gmail_msg"> ]</span></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">These options are specified in the documentation of the Erlang SSL app (<a href="http://erlang.org/doc/man/ssl.html" class="gmail_msg" target="_blank">http://erlang.org/doc/man/ssl.html</a>)</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">Hope this helps,<br class="gmail_msg"></div><div class="gmail_msg">Ali</div><div class="gmail_msg"><br class="gmail_msg"></div></div><br class="gmail_msg"><div class="gmail_quote gmail_msg"></div><div class="gmail_quote gmail_msg"><div class="gmail_msg">On Fri, Dec 30, 2016 at 11:24 AM Frank Muller <<a href="mailto:frank.muller.erl@gmail.com" class="gmail_msg" target="_blank">frank.muller.erl@gmail.com</a>> wrote:<br class="gmail_msg"></div></div><div class="gmail_quote gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi guys,<div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">I would like to configure my "<span style="font-family:Helvetica;font-size:12pt" class="gmail_msg">Comodo PositiveSSL" certificates with Cowboy. </span></div><div class="gmail_msg"><font face="Helvetica" class="gmail_msg"><br class="gmail_msg"></font></div><div class="gmail_msg"><font face="Helvetica" class="gmail_msg">So far the self-signed OpenSSL certificates I've generated worked as expected. But I've no idea how to configure the "</font><span style="font-family:Helvetica;font-size:12pt" class="gmail_msg">Comodo" ones. </span><font face="Helvetica" class="gmail_msg"><div class="gmail_msg"><p class="m_-5076392219958611222m_3909596601551947596m_6368755998612314586m_3691111631730224356m_1091408658512042674p1 gmail_msg"><span class="m_-5076392219958611222m_3909596601551947596m_6368755998612314586m_3691111631730224356m_1091408658512042674s1 gmail_msg"><br class="gmail_msg"></span></p><p class="m_-5076392219958611222m_3909596601551947596m_6368755998612314586m_3691111631730224356m_1091408658512042674p1 gmail_msg"><span class="m_-5076392219958611222m_3909596601551947596m_6368755998612314586m_3691111631730224356m_1091408658512042674s1 gmail_msg">Can someone point me to a tutorial please? Or help on the setup?</span></p><br class="gmail_msg"><br class="gmail_msg"><br class="gmail_msg"></div></font><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">Thanks in advance.</div><div class="gmail_msg"><br class="gmail_msg"></div><font face="Helvetica" class="gmail_msg">N.B: Comodo provides explanations for Nginx</font>, Apache, etc. But not Cowboy unfortunately :-(</div><div class="gmail_msg"><br class="gmail_msg"><div class="gmail_msg">Happy new year !!!</div><div class="gmail_msg">/Frank</div></div></blockquote></div><div class="gmail_quote gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br class="gmail_msg"><br class="gmail_msg">_______________________________________________<br class="gmail_msg"><br class="gmail_msg"><br class="gmail_msg">erlang-questions mailing list<br class="gmail_msg"><br class="gmail_msg"><br class="gmail_msg"><a href="mailto:erlang-questions@erlang.org" class="gmail_msg" target="_blank">erlang-questions@erlang.org</a><br class="gmail_msg"><br class="gmail_msg"><br class="gmail_msg"><a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" class="gmail_msg" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br class="gmail_msg"><br class="gmail_msg"><br class="gmail_msg"></blockquote></div><br class="gmail_msg"><br class="gmail_msg"></blockquote></div></div><br class="gmail_msg"><br class="gmail_msg"></blockquote></div></div></blockquote></div></div>
</blockquote></div>