How to config the keystore of Nginx mutual SSL?

Super User Asked by Jimmy Chu on December 11, 2020

I want to config my Nginx to use mutual SSL to verify clients connecting to my server. So I have the following setup in my nginx conf:

access_log   /var/www/logs/app.nginx-access.log;
error_log    /var/www/logs/app.nginx-error.log info;

# SSL config
ssl                  on;
ssl_session_cache    shared:SSL:5m;
ssl_session_timeout  10m;
ssl_ciphers  HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers  on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot

#setting for mutual ssl with client
ssl_client_certificate /etc/nginx/ssl/clients.crt;
ssl_verify_client on;
ssl_verify_depth 10;

I then appended a test client certificate (.crt file) in the clients.crt and restarted the nginx server to test. When I connected with curl cmd using my full-chained pem (with two intermediate CA hosts inside), the nginx error log recorded:

2020/10/28 09:32:51 [info] 15940#15940: *7 client SSL certificate verify error: (2:unable to get issuer certificate) while reading client request headers, client:, server: ...

I searched a bit and realised the openssl could not verify the chained-cert file all the way back to its root CA. I am using ubunbu v16 and see a bunch of root CAs are already specified in /etc/ssl/certs folder.

My question is how could I specify Nginx/openssl to look into this directory and find an appropriate root CA to verify?

Thank you!

One Answer

If you read the docs for ssl_client_certificate you will see that it says:

Specifies a file with trusted CA certificates in the PEM format used to verify client certificates

You therefore add the Root CA certificate to this file and configure your client to send the end-entity (client) certificate along with any intermediate CA certificates.

Correct answer by garethTheRed on December 11, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP