I used openssl to generate the following certificates:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -subj "/C=IT/ST=Mi/L=Milan/O=MyOrg/OU=RnD/CN=localhost/[email protected]"
openssl rsa -in server.key -out server.insicure.key
cat server.insicure.key > certificate.pem
cat server.crt >> certificate.pem
I then setup nginx to client-secure a site:
server {
listen 80 ssl;
root /var/www/site;
index index.html;
ssl_certificate /root/server.crt;
ssl_certificate_key /root/server.key;
ssl_client_certificate /root/certificate.pem;
ssl_verify_client on;
ssl_verify_depth 2;
location / {
try_files $uri $uri/ =404;
}
}
However, when I try to get the site with curl, it doesn't work as expected:
curl --cacert certificate.pem https://localhost:80
and I get the following error page from nginx:
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>
Anything I'm doing wrong? Thanks
You are instructing Nginx to request a client certificate with:
However, you've not told
curlto use one (--cacertonly tellscurlwhere the CA certificate to use to verify the server certificate is located). Nginx therefore correctly tells you that you haven't sent a client certificate.If you only want the server to send a TLS certificate in order to get HTTPS working then simply comment out or remove the two lines above.
If you do want the client to send a certificate, then you should create a CA and use it to issue a client certificate. Give the client certificate and private key to
curl(use--certand--keyrespectively) and configure the CA certificate in Nginx withssl_client_certificate(without the private key!!).This question/answer shows how to create a client certificate using OpenSSL.