Problem creating CRL

Tue Feb 18 18:42:28 UTC 2020

Hello!

On Tue, Feb 18, 2020 at 12:58:26PM -0500, trstringer wrote:

> I am attempting to add CRL support to my nginx proxy, and it seems to not be
> working due to the following error:
> 
> client SSL certificate verify error: (3:unable to get certificate CRL) while
> reading client request headers
> 
> From my research, this is because nginx senses a missing CRL. But here is
> the structure of my client certificate (it has the full chain of
> certificates in it):
> 
> Certificate:
>     Data:
>     ...
>         X509v3 extensions:
>         ...
>             X509v3 Key Usage: critical
>                 Certificate Sign, CRL Sign
> 
> Certificate:
>     Data:
>     ...
>         X509v3 extensions:
>         ...
>             X509v3 CRL Distribution Points:
>                 Full Name:
>                     URI:http://uri1
> 
> Certificate:
>     Data:
>     ...
>         X509v3 extensions:
>         ...
>             X509v3 Key Usage: critical
>                 Certificate Sign, CRL Sign
> 
> Certificate:
>     Data:
>     ...
>         X509v3 extensions:
>         ...
>             X509v3 CRL Distribution Points:
>                 Full Name:
>                     URI:http://uri2
>                     URI:http://uri3
>                     URI:http://uri4
> 
> I take the following steps:
> 
> 1. curl and convert output from url1 to PEM.
> 2. curl and convert output from url2 to PEM.
> 3. Concat the two outputs into the same file.
> 4. Specify this file in nginx config for ssl_crl.
> 
> But I get the above error.
> 
> Any thoughts on what I'm doing wrong? My understanding is that I should be
> able to safely ignore url3, and url4.

You need CRLs for all certificates in the chain.

-- 
Maxim Dounin
http://mdounin.ru/