Opened 7 years ago
Closed 7 years ago
#1310 closed defect (duplicate)
SSL proxy - CRL verification error
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.13.x |
Keywords: | Cc: | ||
uname -a: | Linux d237ad392de9 4.9.31-moby #1 SMP Sat Jun 24 06:29:23 UTC 2017 x86_64 GNU/Linux | ||
nginx -V: |
built with OpenSSL 1.1.0e 16 Feb 2017 (running with OpenSSL 1.1.0f 25 May 2017)
TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.1/debian/debuild-base/nginx-1.13.1=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
Description
This is mostly duplicate of: https://trac.nginx.org/nginx/ticket/344
But the proposed solution does not work.
I have CRL's for all the certificates i have defined in 'ssl_client_certificate'
My certificates:
EE Certification Centre Root CA https://sk.ee/upload/files/EE_Certification_Centre_Root_CA.pem.crt
EID-SK 2011 https://sk.ee/upload/files/ESTEID-SK_2011.pem.crt
ESTEID-SK 2011 https://sk.ee/upload/files/ESTEID-SK_2011.pem.crt
ESTEID-SK 2015 https://sk.ee/upload/files/ESTEID-SK_2015.pem.crt
My CRL file contains of these crl's converted to PEM and concatenated:
http://www.sk.ee/crls/eeccrca/eeccrca.crl
http://www.sk.ee/repository/crls/eid2011.crl
http://www.sk.ee/repository/crls/esteid2011.crl
http://www.sk.ee/crls/esteid/esteid2015.crl
converting like that:
openssl crl -in "eeccrca.crl" -out "eeccrca.crl" -inform DER
In error_log I'm getting:
"client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers"
Error log with debug level output: https://paste.ngx.cc/de
If I'm testing my client certificate manually from command line then everything works fine (mycert.cer is cert I get from the browser and is issued by "ESTEID-SK 2015"):
openssl verify -crl_check -CAfile ca.crl mycert.cer
Config:
server { listen 443 ssl; listen [::]:443 ssl; server_name id.test.dev; access_log /var/log/nginx/p443id.access.log; error_log /var/log/nginx/p443id.error.log info; include conf/_ssl.conf; ssl_crl /etc/nginx/cert/crl/ca.crl; ssl_client_certificate /etc/nginx/cert/eid.crt; ssl_verify_client on; ssl_session_cache off; ssl_verify_depth 2; location / { expires -1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header SSL-CLIENT-VERIFY $ssl_client_verify; #proxy_set_header SSL-CLIENT-CERT $ssl_client_cert; proxy_set_header SSL-CLIENT-S-DN $ssl_client_s_dn; proxy_set_header SSL-CLIENT-V-START $ssl_client_v_start; proxy_set_header SSL-CLIENT-V-END $ssl_client_v_end; proxy_set_header SSL-CLIENT-I-DN $ssl_client_i_dn; # Fix the “It appears that your reverse proxy set up is broken" error. proxy_pass http://localhost:8088; proxy_read_timeout 90; proxy_redirect http://localhost:8088 $host; } }
Change History (2)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
See ticket #1094 (in particular, this comment), there is a problem with the root certificate CRL.
'conf/_ssl.conf' content is as follows. Forgot to include in original ticket: