id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 301,SSL: client certificate verification not working with intermediate certificates,Jacek L,,"Nginx in during verification client certificates doesn't support correctly intermediate certificates. My certificates self created: (RootCA is selfsigned, IntrermediateCA1/2 are signed by RootCA, etc.) {{{ RootCA -> IntermediateCA1 -> Client1 RootCA -> IntermediateCA2 -> Client2 }}} I want to use in nginx ""IntermediateCA1"", to allow access to site only to owner of the ""Client1"" certificate. Part of vhost configuration: {{{ server { listen 443 ssl; #(..) ssl_client_certificate /path/to/IntermediateCA1.crt; #changed to IntermediateCA1+RootCA, etc. ssl_verify_client on; ssl_verify_depth 2; #changed to 1,2,3.. #(..) } }}} When I put to ""ssl_client_certificate"" file with **IntermediateCA1 and RootCA**, and set ""ssl_verify_depth 2"" (or more) , clients can login to site both using certificate **Client1 and Client2** (should only Client1). The same result is when I put to ""ssl_client_certificate"" file with **only RootCA** - both clients can login. When I put to ""ssl_client_certificate"" file with **only IntermediateCA1**, and set ""ssl_verify_depth 1"" (or ""2"" or more - no matter) , it is imposible to log in, I get error 400. And in debug mode i see logs: {{{ verify:0, error:20, depth:1, subject:""/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com"",issuer: ""/C=PL/CN=RootCA/emailAddress=cert@asdf.com"" verify:0, error:27, depth:1, subject:""/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com"",issuer: ""/C=PL/CN=RootCA/emailAddress=cert@asdf.com"" verify:1, error:27, depth:0, subject:""/C=PL/CN=Client1/emailAddress=cert@asdf.com"",issuer: ""/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com"" (..) client SSL certificate verify error: (27:certificate not trusted) while reading client request headers, (..) }}} I thing this is a bug. Tested on Ubuntu, nginx 1.1.19 and 1.2.7-1~dotdeb.1, openssl 1.0.1 and/or 9.0.8. Tested in client certificate with and without certificate chain (using browser: Chrome). I see that nginx 1.3 has few more options about using client certificates (eg.""optional_no_ca""), but I don't see there solution to this problem. Currently, the only one way to separate clients 1 and 2 is to create two, selfsigned RootCAs, but this is only workaround. There should by possibilites to use any intermediate cerfiticate to verify clients with certyficates signed by this intermediate certificate. The problem is confirmed by several people: http://stackoverflow.com/questions/8431528/nginx-ssl-certificate-authentication-signed-by-intermediate-ca-chain http://serverfault.com/questions/475180/nginx-and-client-certificates-from-hierarchial-openssl-based-certification-autho",defect,closed,minor,,nginx-core,1.2.x,invalid,ssl client certificate intermediate,,Linux asdf 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux,"nginx version: nginx/1.2.7 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-pcre-jit --with-debug --with-file-aio --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_secure_link_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/usr/src/nginx/source/nginx-1.2.7/debian/modules/nginx-auth-pam --add-module=/usr/src/nginx/source/nginx-1.2.7/debian/modules/nginx-dav-ext-module --add-module=/usr/src/nginx/source/nginx-1.2.7/debian/modules/nginx-echo --add-module=/usr/src/nginx/source/nginx-1.2.7/debian/modules/nginx-upstream-fair --add-module=/usr/src/nginx/source/nginx-1.2.7/debian/modules/nginx-syslog --add-module=/usr/src/nginx/source/nginx-1.2.7/debian/modules/nginx-cache-purge --add-module=/usr/src/nginx/source/nginx-1.2.7/debian/modules/ngx_http_pinba_module --add-module=/usr/src/nginx/source/nginx-1.2.7/debian/modules/ngx_http_substitutions_filter_module"