Client certificates require nginx restart
Maxim Dounin
mdounin at mdounin.ru
Mon Dec 6 15:21:47 MSK 2010
Hello!
On Mon, Dec 06, 2010 at 05:42:01AM -0500, kefear wrote:
> Hi,
> I have setup nginx as a ssl reverse proxy for tomcat. I am doing
> matching based on client DN like that:
>
> [code]
> ssl on;
> ssl_certificate /etc/ssl/server.crt;
> ssl_certificate_key /etc/ssl/server.key;
> ssl_client_certificate /etc/ssl/certs/ca.crt;
> ssl_verify_client on;
>
> location /client2 {
> if ($ssl_client_s_dn = "/C=US/ST=OH/O=TEST.US/OU=ADM/CN=client2") {
> proxy_pass http://127.0.0.1:8180;
> break;
> }
> }
> [/code]
>
> Everything works fine except that I have to restart nginx every time new
> certificate is imported into a client browser. I would like to make them
> work without restarting nginx. Is it possible or am I doing something
> wrong ? Thanks in advance for any help
It's likely to be caused by browser using previously established
ssl session (with old client cert used in it). Restarting
browser should help as well.
Maxim Dounin
More information about the nginx
mailing list