Hi.
I’m trying to get nginx 1.6.2 to authenticate users using their client
certificates.
I’m using this configuration (besides usual SSL settings, which are
proved
to work):
ssl_stapling on;
ssl_client_certificate /etc/nginx/certs/trusted.pem;
ssl_verify_client optional_no_ca;
trusted.pem contains 3 CA certificates: test CA and 2 production CA
(main
and intermediate).
To pass verification data to the application I’m using
fastcgi_param X-SSL-Verified $ssl_client_verify;
fastcgi_param X-SSL-Certificate $ssl_client_cert;
fastcgi_param X-SSL-IDN $ssl_client_i_dn;
fastcgi_param X-SSL-SDN $ssl_client_s_dn;
And here comes the issue: when using test CA and test cerificate, I’m
getting X-SSL-Verified: SUCCESS, but when using production ones, I’m
getting
X-SSL-Verified: FAILED. You can say that there’s a problem in my
certificate
bunch, but I tried to verify if the production certificate is really
issued
by the CA that I think about:
openssl verify -verbose -CAfile trusted.pem rt.cert
rt.cert: OK
Looks like it passes the verification. trusted.pem is the same that
nginx
uses. In the same time nginx thinks that certificate doesn’t pass the
test.
Why can this happen ? I’ve also tried setting ‘ssl_verify_client on;’ -
the
only difference that I get the 400 answer, because the verification
fails
explicitely.
Thanks.
Posted at Nginx Forum: