SSL handshake failed with mutual TLS
CJ Ess
zxcvbn4038 at gmail.com
Mon Jun 20 15:59:16 UTC 2016
Check that you have both the certificate and any intermediate certificates
in your pem file - you can skip the top-most CA certificates as those are
generally included in your browser's CA store - but the intermediates are
not.
I believe Nginx wants certs ordered from bottom-most (your cert) to
top-most (ca's cert) - it used to be picky about that I haven't retried the
ordering in a long while.
On Sun, Jun 19, 2016 at 5:09 AM, Francis Daly <francis at daoine.org> wrote:
> On Sat, Jun 18, 2016 at 11:29:49AM +0300, Andrey Novikov wrote:
>
> Hi there,
>
> > We've successfully configured interaction with two of these systems
> > (all with mutual TLS), and when pointed another one to this server
> > we've got next message in the error.log (log level for error log is
> > set to debug):
> >
> > 2016/06/16 18:07:55 [info] 21742#0: *179610 SSL_do_handshake() failed
> > (SSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> > certificate:SSL alert number 42) while SSL handshaking, client:
> > 10.117.252.168, server: 0.0.0.0:8443
> >
> > What can cause this message? How to debug it?
>
> I think that this message (can|does) mean that the far side did not like
> something about your certificate.
>
> If that is the case - are there any logs on the thing connecting to
> nginx about what it thinks happened in the TLS negotiation?
>
> Cheers,
>
> f
> --
> Francis Daly francis at daoine.org
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160620/3ba6cc0e/attachment.html>
More information about the nginx
mailing list