ssl client auth trouble

AJ Weber aweber at comcast.net
Fri Aug 30 19:13:07 UTC 2019 

On 8/30/2019 12:33 PM, Reinis Rozitis wrote:
>> When this is all done, and I import the p12 client certificate on my Windows PCs (tested 2) Chrome and Firefox show me the "400 Bad Request\n No required SSL certificate was sent".  The very strange thing is IE11 on one of the two PCs, actually prompts me to use my newly-installed cert the first time, and it works.  No other browser (including IE on a different PC) works.
>
> Afaik Chrome uses Windows certificate store (and iirc as of FF49 there is an optional setting for firefox too) so if IE11 works it could be that rather than nginx configuration it is browser related.
The tricky thing there is that it works on one PC's IE and not another.  
But you are correct, Chrome does use the Windows cert store.  I have 
checked a dozen times that the cert is in there as correctly as I can 
surmise.  And when the initial tests show that 1 out of 5 browsers are 
successful, it is not something I can go forward with before I solve it. :)
>
> For example - some time ago when I had to implement client certificate authentication myself one such caveat turned out to be how Chrome handles http2 - I had several virtualhosts,  but client auth only for one domain and it randomly didn't work. When I inspected the http2 stream I noticed that if the resolved IP for the domain matched an existing connection Chrome happily reused/pipelined the request through it without sending the certificate.
> When the particular domain was placed on a separate ip everything started to work as expected. While there might not be a technical issue for such behavior (not sure?) it wasn't very obvious at first.
>
>
> I would suggest to share at least minimal nginx configuration snippet - it's hard to help without that.

I can do that.  This is initial setup of nginx. The default nginx.conf 
has only been edited by certbot (trying Lets Encrypt), and I have zero 
virtual hosts...in fact nothing in default.d/

>
> Maybe try with ssl_verify_client optional_no_ca; - depending on how the client certificate was created/signed there might be intermediate CAs (not sure if you followed the guides directly about self-made CAs etc)

I tried following both of those links precisely.  From my eye, they both 
do the same exact set of steps...just some syntactically separated.

The client cert appears to be signed correctly with the output of 
"openssl verify -verbose -CAfile ..."

> and then the default ssl_verify_depth 1; would also fail at verification.
I actually set this to 2 based on a recommendation in SO post, but it 
did not make a difference either way.
> Also log if $ssl_client_s_dn / $ssl_client_escaped_cert actually contain anything.

I will search for this.  Not sure how to add this info to my logs, or 
whether it logs failures too?


Thank you for your help!

More information about the nginx mailing list