failure to limit access to a secure area with self-signed client SSL cert fingerprint match

Francis Daly francis at
Thu Mar 23 21:58:27 UTC 2023

On Wed, Mar 22, 2023 at 08:48:50AM -0400, PGNet Dev wrote:

Hi there,

> > Do you have the certificate that has that value as the Subject? What
> > is that certificate's Issuer? And repeat until you get to the root
> > certificate.
> > 
> > And which of the ssl*certificate files named in your config holds those certificates?
> i verified all my certs/chains. all good.

You verified things in your way, and saw they were good.

The nginx logs you provided indicated that nginx verified things in its
way, and saw they were not good.

It seems like you have a system that works for you now, and that is

If you want to keep testing for another system, then based on what
you reported, and what you provided here, my guess is that your client
certificate does verify against whatever is in myCA.CHAIN.crt.pem,
and does not verify against whatever is in

So I suspect that if you put the contents of those two files into a
single file, and then refer to that either as ssl_client_certificate or
as ssl_trusted_certificate, and do not use the other directive at all;
then things might work more like you want.

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list