I want to force ssl client verification for on of my virtual hosts. But get "No required SSL certificate was sent" error, trying to GET something from it.
Here are my test configs:
# defaults
ssl_certificate /etc/certs/server.cer;
ssl_certificate_key /etc/certs/privkey-server.pem;
ssl_client_certificate /etc/certs/allcas.pem;
server {
listen 1443 ssl;
server_name server1.example.com;
root /tmp/root/server1;
ssl_verify_client off;
}
server {
listen 1443 ssl;
server_name server2.example.com;
root /tmp/root/server2;
ssl_verify_client on;
}
First server replies with 200 http code, but second returns "400 Bad Request, No required SSL certificate was sent, nginx/1.0.4".
Probably, it is implossible to use ssl_verify_client on the same IP? Should I bind these servers to different IPs, will it solve my problem?
I ran into a similar problem, but looking to distinguish the
ssl_verify_clients
between location blocks within a server block, rather than between server blocks. You could probably solve your problem by moving the default ssl config stuff into the two servers (duplicating it, sure, or put them all in one server block, accept the multiple sub-domains, and use locations).For the location based solution, looks like the following works. Use
ssl_verify_client optional;
in the server block, and use if-statements in the various locations, eg:
if ($ssl_client_verify != SUCCESS) { return 403; }
I needed to do this to give admin access to an webapp, yet still allow webhooks from github without giving github a client ssl cert.
You need to upgrade at least to nginx >= 1.0.9 if you want to have multiple name-based virtual hosts (using SNI) on the same IP address and port, but with different
ssl_verify_client
settings for these hosts.In older nginx versions the
ssl_verify_client
setting for the default virtual host was used for all other name-based virtual hosts on the same IP+port combination. Some other SSL options (ssl_verify_depth
,ssl_prefer_server_ciphers
) were also handled in the same way. Using a separate IP or port could be a workaround if you absolutely cannot upgrade.Note from the nginx changelog for 1.0.9:
Relevant changes in the nginx source: r4034 in trunk, r4246 in the 1.0 branch.
Have you loaded the client certificate (in PKCS12 format) signed by the CA "/etc/certs/allcas.pem" in your browser ? In Firefox, you can check your client certificats by going into Preferences -> Advanced -> Encryption -> View Certificates -> Your certificates.
The value of the parameter "ssl_verify_client" if "off" by default. You can also use the value "optional" if the SSL client certificate is not mandatory.
I'm not an nginx expert, but I've seen similar problems with apache using SSL and virtual hosts. The problem is the order in which the server handles the SSL negotiation versus the choice of virtual host. The first step is to establish the encrypted connection, and only after that is done does the server see what hostname you're asking for. And up until it does know, it will use the default setting - which in this case is the first host, which requires a client certificate in order to establish the SSL connection.
So, short answer - in this case, you'd do better to have either separate ports or separate IP addresses.
I encountered the same problem and found a solution.
Please try add
default_server
flag for the second server