ssl_verify_client for all paths except some

Question

I have a server running on a subdomain configured like so:

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  server_name x.example.com;

  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  <ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern>

  ssl_client_certificate /etc/ssl/certs/root-ca.crt;
  ssl_verify_client on;
  ssl_verify_depth 2;

  root /var/www/html;
  index index.html index.htm;

  location / {
    try_files $uri $uri/ =404;
  }
}

Currently, I'm using my own root CA both for the client verification and as the server's main certificate. I'd like to transition to using a Let's Encrypt certificate, but this poses a problem, since the Let's Encrypt verification process will require access to x.example.com/.well-known and will not have a matching client certificate.

I've tried adding a second server block like so, as recommended here, but I haven't been able to get it to work:

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name x.example.com;

  <same Mozilla configuration--I've got it stored as a snippet>

  ssl_verify_client off;

  root /var/www/html;
  index index.html index.htm;

  location /.well-known {
    try_files $uri $uri/ =404;
  }
}

What is an appropriate way to do this?

score 2 · Accepted Answer · answered Dec 27 '16 at 09:07

2

Let's Encrypt doesn't look for challenges on HTTPS so you may simply set up something like this:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name x.example.com;

    location /.well-known {
        try_files $uri $uri/ =404;
    }

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    <ssl configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=no&profile=modern>

    ssl_client_certificate /etc/ssl/certs/root-ca.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;

    root /var/www/html;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

answered Dec 27 '16 at 09:07

Ginnungagap

2,595
10
13

Of course! The chicken-and-egg problem of HTTPS works in my favor here. One note, I did need to add `root /var/www/html;` to the first server block as well. – Scott Colby Dec 27 '16 at 16:43
Yes my bad, you had no root defined in that server block, though I usually have a common folder for all virtual servers so I just include the snippet needed to generate certificates – Ginnungagap Dec 27 '16 at 19:28
Yeah, that was an omission on my part in my question. I was leaving the comment to aid others if they come across your answer! :) – Scott Colby Dec 27 '16 at 19:31

ssl_verify_client for all paths except some

1 Answers1