I want to config my Nginx to use mutual SSL to verify clients connecting to my server. So I have the following setup in my nginx conf:
error_log /var/www/logs/app.nginx-error.log info;
# SSL config
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/domain-name.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain-name.com/privkey.pem; # managed by Certbot
#setting for mutual ssl with client
I then appended a test client certificate (.crt file) in the
clients.crt and restarted the nginx server to test. When I connected with
curl cmd using my full-chained pem (with two intermediate CA hosts inside), the nginx error log recorded:
2020/10/28 09:32:51 [info] 15940#15940: *7 client SSL certificate verify error: (2:unable to get issuer certificate) while reading client request headers, client: 22.214.171.124, server: ...
I searched a bit and realised the openssl could not verify the chained-cert file all the way back to its root CA. I am using ubunbu v16 and see a bunch of root CAs are already specified in
My question is how could I specify Nginx/openssl to look into this directory and find an appropriate root CA to verify?
If you read the docs for
ssl_client_certificate you will see that it says:
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates
You therefore add the Root CA certificate to this file and configure your client to send the end-entity (client) certificate along with any intermediate CA certificates.
Correct answer by garethTheRed on December 11, 2020
Get help from others!