I have a self-signed root certificate and an intermediate certificated signed by that root. Basically something like this:
.
└── master (CA)
└── servant1 (CA)
I have a few client certificates which are derived from the master->servant1
certificate chain:
.
└── master (CA)
└── servant1 (CA)
├── client1
├── client2
└── client3
I'm looking to authenticate these client certificates in nginx and I'm having a lot of trouble doing so.
Here's my nginx configuration:
upstream luci {
server localhost:8080;
}
server {
listen 127.0.0.1:80;
server_name myserver;
return 301 https://$host$request_uri;
}
server {
listen 127.0.0.1:443;
server_name myserver;
ssl on;
ssl_certificate /etc/nginx/certs/myserver.crt;
ssl_certificate_key /etc/nginx/certs/myserver.key;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.1;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AES:!ECDH+3DES:!DH+3DES:!RSA+3DES:!aNULL:!MD5:!DSS;
ssl_client_certificate /etc/nginx/certs/servant1-ca-chain.crt;
ssl_verify_client on;
ssl_verify_depth 2;
location / {
proxy_pass http://luci;
}
}
This should be pretty straightforward. All client certificates signed by the intermediate servant1
CA should be allowed to connect to nginx.
However, when I attempt to access the server with these client certificates, I get this:
(obviously an incredibly detailed and helpful error)
I find this in my logs:
2013/12/01 22:46:18 [alert] 7478#0: *5 ignoring stale global SSL error (SSL: error:0407006A:lib(4):func(112):reason(106) error:04067072:lib(4):func(103):reason(114) error:0D0C5006:lib(13):func(197):reason(6)) while reading client request line, client: 192.168.1.208, server: myserver
Useful information here is:
ignoring stale global SSL error
What's going wrong and how can I fix it?
I had generated my certificates using OpenSSL and most probably screwed something up along the way.
My recommendation is to use XCA when at all possible for generating SSL certificates, as it's incredibly secure, feature-complete, and makes it easy to manage public and private keys, certificates, CSRs, and more.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.