Nginx – SSL client certification

certificatenginxsslverification

OS: CentOS 7

SW: NginX

Existing stuff

dhparam.pem
mydomain.com.crt
mydomain.com.csr
mydomain.com.key

Issue:

I'm trying to create a client verification by creating client certificates and then authenticate one servers requests with NginX to my destination server. However I constantly get the 400 Bad Request - No required SSL certificate was sent error message. What am I doing wrong? Here is what I did:

openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -sha256 -in client.csr -CA mydomain.com.crt -CAkey client.key -set_serial 2 -out client.crt

Every command runs successfully, however, the error stays. Also in my NginX, on the destination server, I have:

ssl_certificate         /etc/nginx/ssl/mydomain.com.crt;
ssl_certificate_key     /etc/nginx/ssl/mydomain.com.key;
ssl_client_certificate  /etc/nginx/ssl/mydomain.com.crt;

NGINX Configuration:

server {
    listen 80;
    listen 443 ssl;

    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    ssl_certificate         /etc/nginx/ssl/mydomain.com.crt;
    ssl_certificate_key     /etc/nginx/ssl/mydomain.com.key;
    ssl_client_certificate  /etc/nginx/ssl/client.crt;

    ssl_verify_client optional;

    server_name uploads.mydomain.com;
    root /var/www/html/com.mydomain.uploads/public;

    error_log /var/log/nginx/mydomain.com/error.log;
    access_log /var/log/nginx/mydomain.com/access.log main;

    index index.php;

    rewrite ^/index\.php?(.*)$ /$1 permanent;

    location / {
        try_files $uri @rewrite;
    }

    location @rewrite {
        rewrite ^(.*)$ /index.php/$1 last;
    }

    location ~ ^/index.php(/|$) {
        fastcgi_pass unix:/var/run/php-fpm/uploads.sock;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SSL_CLIENT_VERIFY    $ssl_client_verify;
        fastcgi_param SSL_CLIENT_S_DN       $ssl_client_s_dn;
    }
}

Best Answer

It was a very stupid mistake and now I'm ashamed of myself.

I though that the website certificates are the same as the CA ones. So now I've created new ca.key and ca.crt files and signed the clients certificate with them and voila. :(

ssl_certificate /etc/nginx/ssl/mydomain.com.crt; ssl_certificate_key /etc/nginx/ssl/mydomain.com.key; ssl_client_certificate /etc/nginx/ssl/ca.crt;

So all the commands in order:

Create CA key and cert:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt

Create client key and CSR

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr

Sign client CSR with CA files

openssl x509 -req -days 3652 -sha256 -in client.csr -CA nginx-selfsigned.crt -CAkey nginx-selfsigned.key -set_serial 2 -out client.crt

OPTIONAL: Convert client.crt to a base64 encoded pem including the private key

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
openssl pkcs12 -in client.p12 -out client.pem -nodes

HUGE NOTE! The Organization name of the CA files and Client files CANNOT BE EQUAL! Otherwise it will break and fail to authenticate.

I hope I've helped others who also as dumb as I was.

Related Solutions

How to Force or Redirect to SSL in Nginx

According to nginx pitfalls, it's slightly better to omit the unnecessary capture, using $request_uri instead. In that case, append a question mark to prevent nginx from doubling any query args.

server {
    listen      80;
    server_name signup.mysite.com;
    rewrite     ^   https://$server_name$request_uri? permanent;
}

Nginx – OCSP validation – unable to get local issuer certificate

Those two errors was unrelated although the error message was same.

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs.

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com

For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on; line in nginx.conf.

Here some excerpt from the documentation of ssl_stapling_verify to explain why it throws the error

Syntax: ssl_stapling_verify on | off;

Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate directive.

cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt

and add ocsp-chain.crt to ssl_trusted_certificate directive.

Best Answer

Related Solutions

How to Force or Redirect to SSL in Nginx

Nginx – OCSP validation – unable to get local issuer certificate

Related Topic