ssl client auth trouble

Reinis Rozitis r at
Fri Aug 30 16:33:35 UTC 2019

> When this is all done, and I import the p12 client certificate on my Windows PCs (tested 2) Chrome and Firefox show me the "400 Bad Request\n No required SSL certificate was sent".  The very strange thing is IE11 on one of the two PCs, actually prompts me to use my newly-installed cert the first time, and it works.  No other browser (including IE on a different PC) works.

Afaik Chrome uses Windows certificate store (and iirc as of FF49 there is an optional setting for firefox too) so if IE11 works it could be that rather than nginx configuration it is browser related.

For example - some time ago when I had to implement client certificate authentication myself one such caveat turned out to be how Chrome handles http2 - I had several virtualhosts,  but client auth only for one domain and it randomly didn't work. When I inspected the http2 stream I noticed that if the resolved IP for the domain matched an existing connection Chrome happily reused/pipelined the request through it without sending the certificate. 
When the particular domain was placed on a separate ip everything started to work as expected. While there might not be a technical issue for such behavior (not sure?) it wasn't very obvious at first.

I would suggest to share at least minimal nginx configuration snippet - it's hard to help without that.

Maybe try with ssl_verify_client optional_no_ca; - depending on how the client certificate was created/signed there might be intermediate CAs (not sure if you followed the guides directly about self-made CAs etc) and then the default ssl_verify_depth 1; would also fail at verification.
Also log if $ssl_client_s_dn / $ssl_client_escaped_cert actually contain anything.


More information about the nginx mailing list