id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1094 CRL check for Estonian ID cards fails edgars.buss.optibet.lv@… "Nginx CRL for Estonian ID card fails with error: {{{ 2016/10/04 08:02:13 [info] 7#7: *8 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: 192.168.2.133, server: site, request: ""GET / HTTP/1.1"", host: ""site"" 192.168.2.133 - - [04/Oct/2016:08:02:13 +0000] ""GET / HTTP/1.1"" 400 231 ""-"" ""Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"" }}} Relevant config : {{{ listen 443 ssl; ssl_certificate /etc/nginx/site.20150819.chained.crt; ssl_certificate_key /etc/nginx/site.20150819.nopass.key; ssl_verify_client on; ssl_verify_depth 2; ssl_client_certificate /etc/nginx/ee_all_20161004.pem; ssl_crl /etc/nginx/ee_all_20161004.crl.pem; }}} Here are links for certificates and CRLs; https://sk.ee/en/repository/ https://sk.ee/en/repository/CRL/ I converted CRLs from DER to PEM and concated to one file in the same order as client certificate. Nginx perfectly validates client certificate if no ssl_crl config is specified thus disabling use of CRLs. One note that combined CRL is more than 50MB in size." defect closed major nginx-core 1.11.x worksforme Linux nginx-source 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.11.4 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2) built with OpenSSL 1.1.0b 26 Sep 2016 TLS SNI support enabled configure arguments: --sbin-path=/usr/local/nginx/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=../pcre-8.39 --with-zlib=../zlib-1.2.8 --with-http_ssl_module --with-stream --with-mail=dynamic "