Two Way SSL - client SSL certificate verify error

vikas027 nginx-forum at
Mon Sep 25 12:04:02 UTC 2017

I am testing out two-way SSL and I have configured a Root CA, Intermediate
CA and created a server and client certificates which are signed by
Intermediate CA.

This is my configuration file
server {
  listen 443;
  ssl on;

  # App Cert plus Intermediate CA Cert

  # Application Key
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  error_log /var/log/nginx/massl.log debug;

  ssl_client_certificate /root/ca/certs/ca.cert.pem;
  ssl_verify_client on;

  location / {
      root /usr/share/nginx/massl;
      index index.html index.htm;

If I use the above config and pass the client certificate (also signed by
the same Intermediate CA) and key in curl or openssl s_client, I get below
error in /var/log/nginx/massl.log

2017/09/25 21:49:15 [info] 94#94: *9 client SSL certificate verify error:
(21:unable to verify the first certificate) while reading client request
headers, client:, server:, request: "GET /
HTTP/1.0", host: ""

I don't have any certificate error in 'openssl s_client' log. Here is the
short and debug log

I understand that I am missing Intermediate CA certificate in client chain,
but I am not sure how to pass it. I have tried it adding intermediate CA in
'ssl_client_certificate' parameter in vain.

Additionally, everything works fine if I use certificate (and corresponding
key) of RootCA and Intermediate CA..

Posted at Nginx Forum:,276514,276514#msg-276514

More information about the nginx mailing list