0

I want to setup Nginx for SSL termination. All request with valid client certificates will be terminated at Nginx and request will be forwarded to backend app. I have following Nginx configuration

    upstream app {
        server app:8080;
    }

    server {
        listen                 443 ssl;
        server_name            localhost;
        ssl_certificate        /etc/ssl/cert_example_com.crt;
        ssl_certificate_key    /etc/ssl/cert_example_com.key;
        ssl_client_certificate /etc/ssl/ca.crt;
        ssl_protocols          TLSv1.2 TLSv1.3;
        ssl_ciphers            HIGH:!aNULL:!MD5;
        ssl_verify_client      on;

        location / {
                proxy_pass         http://app;
                proxy_set_header   X-Forwarded-For $remote_addr;
                proxy_http_version 1.1;
                proxy_set_header   Upgrade $http_upgrade;
                proxy_set_header   Connection 'upgrade';
                proxy_set_header   Host $host;
                proxy_cache_bypass $http_upgrade;
        }
    }

All these certificates are generated using Private CA and client are provided with certificate to connect to backend.

For /etc/ssl/app_domain_com.crt; Do I need to include entire certificate chain ( Certificate + Intermediate Certificate + Root CA Certificate ) in this file or just Certificate ?

I tried with following
/etc/ssl/cert_example_com.crt contain only server certificate.
/etc/ssl/cert_example_com.key contain server key.
/etc/ssl/ca.crt contain Intermediate CA certificate (Not Root CA).

and at client side
client.crt contain only client certificate.
client.key contain client key.

Tested with curl -k --cert client.crt --key client.key --header "Content-Type: application/json" --request POST .....

But got following error

<head><title>400 The SSL certificate error</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.19.10</center>
</body>

also tried when client.crt contain Client Certificate + Intermediate CA + Root CA (in this order). Got same error as above.

roy
  • 119
  • 1
  • 2
  • 15
  • 1
    You need a `ssl_client_certificate` directive. Have a look at this question for some more (and some unrelated) info: https://serverfault.com/questions/938269/nginx-client-cert-verification-ssl-client-certificate-vs-ssl-trusted-certificat – Brandon Xavier Apr 30 '21 at 20:44
  • 1
    The file specified by `ssl_client_certificate` should contain the CA cert of the authorities you want to validate against. Basically it's saying "Here's a list of CAs I want to use to authenticate your identity. Please send me a certificate signed by one of them". In your case you probably only want your private CA in there. – Brandon Xavier May 04 '21 at 20:41
  • private CA, you mean Root CA or Intermediate CA ? – roy May 04 '21 at 20:42
  • 1
    root CA . . . . . . – Brandon Xavier May 04 '21 at 20:44
  • @BrandonXavier if you add above steps as answer below would help. appreciate your help. – roy May 17 '21 at 14:30

0 Answers0