I am looking at using the opensource version of nginx as a reverse proxy with upstreams for secure file serving using docker and self signed certs where I can run a script on clients and pull down a file. I can get it all to work, until I apply "ssl_verify_client on;", then my curl, wget and powershell attempts fail. My guess is somehow I'm not generating or registering the certs correctly so the trust chain is maintained.
I've throttled back to see if I can get it to work without the upstreams or docker (i.e., trying only to hit the reverse-proxy in a VM, and same results, works until I do "ssl_verify_client on;").
I've added my pem's to ca-certificates on the client and done "update-ca-certificates" (should I have done this on the server?).
Example of curl (gets "400 No required SSL certificate was sent"): curl -v -s --key client.key --cert client.crt --cacert client.pem https://mysite.dyndns.org/file.txt -o /home/user/Desktop/file.txt
Trying to diagnose the problem, I try: "openssl s_client -connect mysite.dyndns.org:443" and get: verify error:num=20:unable to get local issuer certificate
Am happy to post my nginx.conf, how I am generating certs, but figured initially would ask:
Is what I'm trying to do feasible? Can curl, wget, or powershell work with self signed certs (as opposed to purchased ones)?
is it a problem to use dyndns (works without the verify on)?
if it looks like I've a problem with my cert generation, can someone suggest a link as a how to (I've been trying https://jamielinux.com/docs/openssl-certificate-authority/ and nate goods site). Is "LetsEncrypt" the "right answer"?
I know I may need to post more detail on commands/configs used etc. Any help appreciated. Thx!
0 Answers