Super User Asked by Jimmy Chu on December 11, 2020
I want to config my Nginx to use mutual SSL to verify clients connecting to my server. So I have the following setup in my nginx conf:
access_log /var/www/logs/app.nginx-access.log;
error_log /var/www/logs/app.nginx-error.log info;
# SSL config
ssl on;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/domain-name.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain-name.com/privkey.pem; # managed by Certbot
#setting for mutual ssl with client
ssl_client_certificate /etc/nginx/ssl/clients.crt;
ssl_verify_client on;
ssl_verify_depth 10;
I then appended a test client certificate (.crt file) in the clients.crt
and restarted the nginx server to test. When I connected with curl
cmd using my full-chained pem (with two intermediate CA hosts inside), the nginx error log recorded:
2020/10/28 09:32:51 [info] 15940#15940: *7 client SSL certificate verify error: (2:unable to get issuer certificate) while reading client request headers, client: 172.104.96.232, server: ...
I searched a bit and realised the openssl could not verify the chained-cert file all the way back to its root CA. I am using ubunbu v16 and see a bunch of root CAs are already specified in /etc/ssl/certs
folder.
My question is how could I specify Nginx/openssl to look into this directory and find an appropriate root CA to verify?
Thank you!
If you read the docs for ssl_client_certificate
you will see that it says:
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates
You therefore add the Root CA certificate to this file and configure your client to send the end-entity (client) certificate along with any intermediate CA certificates.
Correct answer by garethTheRed on December 11, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP