Two Way SSL - client SSL certificate verify error
vikas027
nginx-forum at forum.nginx.org
Mon Sep 25 12:04:02 UTC 2017
I am testing out two-way SSL and I have configured a Root CA, Intermediate
CA and created a server and client certificates which are signed by
Intermediate CA.
This is my configuration file
------------------------------------------------------------------
server {
listen 443;
server_name server.test.com;
ssl on;
# App Cert plus Intermediate CA Cert
ssl_certificate
/root/ca/intermediate/certs/server_plus_intermediate.chain.pem;
# Application Key
ssl_certificate_key
/root/ca/intermediate/private/server.test.com.key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
error_log /var/log/nginx/massl.log debug;
ssl_client_certificate /root/ca/certs/ca.cert.pem;
ssl_verify_client on;
location / {
root /usr/share/nginx/massl;
index index.html index.htm;
}
}
------------------------------------------------------------------
If I use the above config and pass the client certificate (also signed by
the same Intermediate CA) and key in curl or openssl s_client, I get below
error in /var/log/nginx/massl.log
2017/09/25 21:49:15 [info] 94#94: *9 client SSL certificate verify error:
(21:unable to verify the first certificate) while reading client request
headers, client: 1.6.0.30, server: server.test.com, request: "GET /
HTTP/1.0", host: "server.test.com"
I don't have any certificate error in 'openssl s_client' log. Here is the
short and debug log
https://gist.github.com/vikas027/6c2225c34bb705d83df3547ac9f7467a
I understand that I am missing Intermediate CA certificate in client chain,
but I am not sure how to pass it. I have tried it adding intermediate CA in
'ssl_client_certificate' parameter in vain.
Additionally, everything works fine if I use certificate (and corresponding
key) of RootCA and Intermediate CA..
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276514,276514#msg-276514
More information about the nginx
mailing list