Problem creating CRL

[trstringer]

I am attempting to add CRL support to my nginx proxy, and it seems to not be
working due to the following error:

client SSL certificate verify error: (3:unable to get certificate CRL) while
reading client request headers

>From my research, this is because nginx senses a missing CRL. But here is
the structure of my client certificate (it has the full chain of
certificates in it):

Certificate:
    Data:
    ...
        X509v3 extensions:
        ...
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign

Certificate:
    Data:
    ...
        X509v3 extensions:
        ...
            X509v3 CRL Distribution Points:
                Full Name:
                    URI:http://uri1

Certificate:
    Data:
    ...
        X509v3 extensions:
        ...
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign

Certificate:
    Data:
    ...
        X509v3 extensions:
        ...
            X509v3 CRL Distribution Points:
                Full Name:
                    URI:http://uri2
                    URI:http://uri3
                    URI:http://uri4

I take the following steps:

1. curl and convert output from url1 to PEM.
2. curl and convert output from url2 to PEM.
3. Concat the two outputs into the same file.
4. Specify this file in nginx config for ssl_crl.

But I get the above error.

Any thoughts on what I'm doing wrong? My understanding is that I should be
able to safely ignore url3, and url4.

Any thoughts? Thank you!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287045,287045#msg-287045