We've a nginx setup running on docker.
- nginx version: 1.13.11
- openssl version 1.1.1
- docker os image: Ubuntu 18.04.2 LTS docker container running on an aws ec2 instance running: 18.04.6 LTS (Bionic Beaver)
In the nginx site config, we've specified the followings: ssl_certificate /etc/ssl/certs/star.a.chain.crt; ssl_certificate_key /etc/ssl/private/star.a.key; ssl_verify_client optional_no_ca; ssl_verify_depth 5; ssl_client_certificate /etc/ssl/certs/a-rootca.pem;
For testing, we run curl -k -v 3 -trace --cacert ./cacert.crt https://staging-www.a.com/path
Output:
* Trying 0.0.0.3:80...
* TCP_NODELAY set
* Immediate connect fail for 0.0.0.3: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server
* Trying 184.72.12.XX:443...
* TCP_NODELAY set
* Connected to staging-www.a.com (xx.xx.xx.xx) port 443 (#1)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: ./cacert.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=XXXXXXXXXX; O=XXXXXXXXXX; OU=a; CN=*.a.com
* start date: Jun 2 18:11:13 2016 GMT
* expire date: May 30 18:11:13 2031 GMT
* issuer: C=US; ST=California; O=XXXXXXXXXX; OU=XXXXXXXXXX; CN=XXXXXXXXXX Certification Authority; emailAddress=XXXXXXXXXX
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /path
> Host: staging-www.a.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.13.11
< Date: Thu, 11 Aug 2022 04:50:51 GMT
< Content-Type: application/octet-stream
< Content-Length: 0
< Connection: keep-alive
< Content-Type: text/plain
< X-DEBUG-SSLCLIENTVERIFY: NONE
< X-DEBUG-docroot: /usr/local/openresty/nginx/html
We've added the nginx variable ssl_client_verify in the header for debugging and the output shows that it is NONE. As we've submitted the cert in the curl command, we've been scratching our head to try to understand why. one thing we notice is the following logs in the debug log:
2022/08/10 18:58:36 [debug] 206#206: *190 SSL_get_error: 6
2022/08/10 18:58:36 [debug] 206#206: *190 peer shutdown SSL cleanly
Can someone please help? Thx!