I want to force ssl client verification for on of my virtual hosts. But get "No required SSL certificate was sent" error, trying to GET something from it.
Here are my test configs:
# defaults
ssl_certificate /etc/certs/server.cer;
ssl_certificate_key /etc/certs/privkey-server.pem;
ssl_client_certificate /etc/certs/allcas.pem;
server {
listen 1443 ssl;
server_name server1.example.com;
root /tmp/root/server1;
ssl_verify_client off;
}
server {
listen 1443 ssl;
server_name server2.example.com;
root /tmp/root/server2;
ssl_verify_client on;
}
First server replies with 200 http code, but second returns "400 Bad Request, No required SSL certificate was sent, nginx/1.0.4".
Probably, it is implossible to use ssl_verify_client on the same IP? Should I bind these servers to different IPs, will it solve my problem?
Best Answer
I ran into a similar problem, but looking to distinguish the
ssl_verify_clientsbetween location blocks within a server block, rather than between server blocks. You could probably solve your problem by moving the default ssl config stuff into the two servers (duplicating it, sure, or put them all in one server block, accept the multiple sub-domains, and use locations).For the location based solution, looks like the following works. Use
ssl_verify_client optional;in the server block, and use if-statements in the various locations, eg:
if ($ssl_client_verify != SUCCESS) { return 403; }I needed to do this to give admin access to an webapp, yet still allow webhooks from github without giving github a client ssl cert.