3:unable to get certificate CRL

Maxim Dounin mdounin at mdounin.ru
Thu Mar 12 17:03:26 UTC 2015


Hello!

On Thu, Mar 12, 2015 at 04:25:08PM +0000, Janet Valbuena wrote:

> Hi Nginx Team
> 
> I'm having problems configuring NGINX to use a CRL.
> 
> I've created the CRL using OpenSSL 0.9.8e and my Nginx version is 1.4.1.
> 
> I'm using a self-signed certificate and an intermediate certificate.
> 
> The lines for the SSL in my config are:
> 
> server {
> >     listen       10446 ssl;
> >
> >     ssl_session_cache   shared:SSL:10m;
> >     ssl_session_timeout 10m;
> >     ssl_prefer_server_ciphers on;
> >
> >     ssl_certificate /etc/nginx/ssl/star_net.crt;
> >     ssl_certificate_key /etc/nginx/ssl/star_net.key;
> >
> >     ssl_client_certificate /etc/certs/ca-chain.cert.pem;
> >
> >     ssl_crl /etc/certs/crl.cert.pem;
> >
> >     ssl_verify_client on;
> >     ssl_verify_depth 2;
> >
> >
> If I comment the ssl_crl line, I don't get any errors.
> 
> However as soon as I uncomment it I get this error:
> 
> ..... client SSL certificate verify error: (3:unable to get certificate
> > CRL) while reading client request headers, client: ....
> >
> 
> I can't see what is wrong in my config. Help please.

The error suggests that you don't have CRL for at least one of 
the certificates in the chain.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list