6

Here's the situation - there's a trasnparent nginx proxy that handles SSL certificates and does it well until we decide to add a revocation list management, required for security reasons. This is when the "ssl_crl" line comes in play and screws up everything.

server {
    listen  80;
    rewrite ^ https://$host$request_uri permanent;
}


server {
    listen 443 ssl;
    server_name example.com;
    ssl on;
    ssl_certificate /home/netadmin/keys/tid.crt;
    ssl_certificate_key /home/netadmin/keys/tid.key;
    ssl_session_cache shared:SSL:10m;
    ssl_client_certificate /home/netadmin/keys/personchain.pem;
    ssl_crl /home/netadmin/keys/personlist.crl;
    ssl_verify_client on;
    ssl_verify_depth 2;
    error_log /var/log/nginx/debug.log debug;

    location / {
            proxy_pass      http://111.111.111.111:80;
    }

The server will always give the "400 Bad Request" error, whenever a user tries to authenticate with SSL. Note that exactly similar (not the same because syntax) config works perfectly in Apache. Now the certificates are flawless, which was proven many times, here's verification check, for example

openssl crl -CAfile personchain.pem -inform PEM -in personlist.crl -lastupdate -nextupdate -noout
verify OK
lastUpdate=Apr 22 14:59:18 2013 GMT 
nextUpdate=Apr 29 14:59:18 2013 GMT

The CRL links are working and there's nothing that looks wrong, here's a piece of the error log.

2013/04/23 15:47:42 [info] 3612#0: *1 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: 192.168.122.1, server: example.com, request: "GET / HTTP/1.1", host: "example.com"

This is basically the only error there is and, as I stated earlier, the same certificates work with Apache. I thought this might be a bug, but the last notice of similar error is dated 2011 so I doubt nobody had solved this puzzle yet.

Pavel Potatis
  • 130
  • 1
  • 10
  • First step would be to turn on debugging (requires that nginx is built with debug support). To avoid spamming the logs, configure a `debug_connection`. – sendmoreinfo Sep 07 '14 at 20:33

2 Answers2

2

Same answer as here: https://serverfault.com/a/676498/277052: If you have multiple CA you have to concatenate all the CRLs.

You have to concatenate all the CRL in chain: Root CA and Intermediate CAs.

Using openssl crl -in crl_list.crl -noout -text only read the first crl, but nginx reads them correctly and validate the user certificate.

Inspired by: https://www.ruby-forum.com/topic/6874370

Community
  • 1
Nicolas Malbran
  • 96
  • 1
  • 3
0

Does nginx process have read access to that crl? Also is it in the proper pem format and signed by a same ca as root crt?

Example: 

$ openssl crl -text -noout -in personlist.crl

Reference: http://www.apacheweek.com/features/crl

slm
  • 7,355
  • 16
  • 54
  • 72