NGINX unable to get issuer certificate

Question

I am using NGINX web server. Configured my site with a setting where user will be challenged to present his certificate when he makes first request to the site by using following setting:

ssl_client_certificate /path/to/ca/cert/ca.crt;
        ssl_verify_client on;

When the user access the site, he gets prompted to present his certificate. but after selecting certificate, he gets following message:

400 Bad Request
The SSL certificate error
nginx/1.12.2

Access log shows: "GET / HTTP/2.0" 400 633 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"

Error log shows: client SSL certificate verify error: (2:unable to get issuer certificate) while reading client request headers, client: 190.130.110.5, server: $xyz.net, request: "GET / HTTP/2.0", host:

running openssl verify -CAfile /etc/nginx/certs/ca.crt /etc/nginx/certs

resulted in following error:

unable to load certificate
140622725740432:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

I am very new to NGINX and short of ideas. please help.

Answer 1

Your client must present all the certificates in the chain bar the root CA to the server.

If your client is a browser, it must have access to the CA certificate which issued the client certificate as well as all other intermediate CA certificates up to but not necessarily including the root CA cert.

When using a command line tool such as OpenSSL, the client certificate file must be a bundle of certificates, which starts with the client certificate and contains all other CA certificates, in order, up to but not necessarily including, the root CA cert.

In both cases, sending the root is optional, but doesn't serve any purpose.

For more information, read RFC 5246 Section 7.4.6, which refers to section 7.4.2 and the certificate_list structure.