failure to limit access to a secure area with self-signed client SSL cert fingerprint match

Francis Daly francis at daoine.org
Thu Mar 23 21:58:27 UTC 2023


On Wed, Mar 22, 2023 at 08:48:50AM -0400, PGNet Dev wrote:

Hi there,

> > Do you have the certificate that has that value as the Subject? What
> > is that certificate's Issuer? And repeat until you get to the root
> > certificate.
> > 
> > And which of the ssl*certificate files named in your config holds those certificates?
> 
> i verified all my certs/chains. all good.

You verified things in your way, and saw they were good.

The nginx logs you provided indicated that nginx verified things in its
way, and saw they were not good.

It seems like you have a system that works for you now, and that is
good.

If you want to keep testing for another system, then based on what
you reported, and what you provided here, my guess is that your client
certificate does verify against whatever is in myCA.CHAIN.crt.pem,
and does not verify against whatever is in intermediate_ca.ec.crt.pem.

So I suspect that if you put the contents of those two files into a
single file, and then refer to that either as ssl_client_certificate or
as ssl_trusted_certificate, and do not use the other directive at all;
then things might work more like you want.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list