SSL certificate verify error: (25:path length constraint exceeded)

Question

I am using Kong API Gateway (built on top of nginx). I configured client certificate authentication in nginx.conf:

ssl on;   ssl_certificate ${{SSL_CERT}};   
ssl_certificate_key ${{SSL_CERT_KEY}};   
ssl_protocols TLSv1.1 TLSv1.2;  
ssl_client_certificate ${{SSL_CLIENT_CA_CERT_CHAIN}};  
ssl_trusted_certificate ${{SSL_CLIENT_CA_CERT_CHAIN}};  
ssl_verify_client optional;   ssl_verify_depth 2;

I get the error below on making a request with client certs:

HTTP/1.1 400 Bad Request Connection: close Content-Length: 237 Content-Type: text/html; charset=UTF-8 Date: Wed, 07 Aug 2019 05:15:02 GMT Server: openresty/1.13.6.2

400 The SSL certificate error
400 Bad Request
The SSL certificate error
openresty/1.13.6.2

Nginx error log has details below:

2019/08/07 05:15:02 [info] 2886#0: *86 client SSL certificate verify error: (25:path length constraint exceeded) while reading client request headers

I have been using the same setup with older version of kong(n nginx) and it used to work just fine. Any idea how do i go about fixing it. Manually verifying the client cert with openssl verify -CAfile {SSL_CLIENT_CA_CERT_CHAIN} {CLIENT_CERT} returns OK status.

Have you tried increasing the `ssl_verify_depth`? – Richard Smith Aug 07 '19 at 08:50 — Richard Smith, Aug 07 '19 at 08:50
@RichardSmith ya i tried that. No luck. – OneWorld Aug 13 '19 at 05:18 — OneWorld, Aug 13 '19 at 05:18

score 0 · Answer 1 · answered Nov 20 '19 at 08:26

0

Although this is not an a fix, I observed that the last version of nginx "working" without this error is nginx:1.10.3.

answered Nov 20 '19 at 08:26

Vincent J

4,968
4
40
50

SSL certificate verify error: (25:path length constraint exceeded)

400 Bad Request

1 Answers1