0

We've a nginx setup running on docker.

  • nginx version: 1.13.11
  • openssl version 1.1.1
  • docker os image: Ubuntu 18.04.2 LTS docker container running on an aws ec2 instance running: 18.04.6 LTS (Bionic Beaver)

In the nginx site config, we've specified the followings: ssl_certificate /etc/ssl/certs/star.a.chain.crt; ssl_certificate_key /etc/ssl/private/star.a.key; ssl_verify_client optional_no_ca; ssl_verify_depth 5; ssl_client_certificate /etc/ssl/certs/a-rootca.pem;

For testing, we run curl -k -v 3 -trace --cacert ./cacert.crt https://staging-www.a.com/path

Output:

*   Trying 0.0.0.3:80...
* TCP_NODELAY set
* Immediate connect fail for 0.0.0.3: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server
*   Trying 184.72.12.XX:443...
* TCP_NODELAY set
* Connected to staging-www.a.com (xx.xx.xx.xx) port 443 (#1)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ./cacert.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=XXXXXXXXXX; O=XXXXXXXXXX; OU=a; CN=*.a.com
*  start date: Jun  2 18:11:13 2016 GMT
*  expire date: May 30 18:11:13 2031 GMT
*  issuer: C=US; ST=California; O=XXXXXXXXXX; OU=XXXXXXXXXX; CN=XXXXXXXXXX Certification Authority; emailAddress=XXXXXXXXXX
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /path
> Host: staging-www.a.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.13.11
< Date: Thu, 11 Aug 2022 04:50:51 GMT
< Content-Type: application/octet-stream
< Content-Length: 0
< Connection: keep-alive
< Content-Type: text/plain
< X-DEBUG-SSLCLIENTVERIFY: NONE
< X-DEBUG-docroot: /usr/local/openresty/nginx/html

We've added the nginx variable ssl_client_verify in the header for debugging and the output shows that it is NONE. As we've submitted the cert in the curl command, we've been scratching our head to try to understand why. one thing we notice is the following logs in the debug log:

2022/08/10 18:58:36 [debug] 206#206: *190 SSL_get_error: 6
2022/08/10 18:58:36 [debug] 206#206: *190 peer shutdown SSL cleanly

Can someone please help? Thx!

skwokie
  • 155
  • 8
  • "we've submitted the cert" -- **no you didn't**. `curl ... --cacert` specifies the cert(s) to be used (as CA or selfsigned) to verify the _server_ cert (which per the log fails but your `-k` ignores it); they do NOT supply a client cert. See the man page under the `--cert` (note spelling) or `-E` and `--key` options. Note the client needs as actual data the cert (which must be issued under the CA cert you specify to nginx as ssl_client_certificate) possibly a chain cert or certs depending on your CA AND the privatekey, which might or might not be in one _file_. – dave_thompson_085 Aug 12 '22 at 13:26

0 Answers0