Client certificates require nginx restart

Maxim Dounin mdounin at mdounin.ru
Mon Dec 6 15:21:47 MSK 2010


Hello!

On Mon, Dec 06, 2010 at 05:42:01AM -0500, kefear wrote:

> Hi, 
> I have setup nginx as a ssl reverse proxy for tomcat. I am doing
> matching based on client DN like that:
> 
> [code]
> 	ssl on;
> 	ssl_certificate /etc/ssl/server.crt;
> 	ssl_certificate_key /etc/ssl/server.key;
> 	ssl_client_certificate /etc/ssl/certs/ca.crt;
> 	ssl_verify_client on;
> 
> location  /client2 {
> 		if ($ssl_client_s_dn = "/C=US/ST=OH/O=TEST.US/OU=ADM/CN=client2") {
> 			proxy_pass http://127.0.0.1:8180;
> 			break;
> 		}
> 	}
> [/code]
> 
> Everything works fine except that I have to restart nginx every time new
> certificate is imported into a client browser. I would like to make them
> work without restarting nginx. Is it possible or am I doing something
> wrong ? Thanks in advance for any help

It's likely to be caused by browser using previously established 
ssl session (with old client cert used in it).   Restarting 
browser should help as well.

Maxim Dounin



More information about the nginx mailing list