nginx – SSL客户端认证

操作系统：CentOS 7

南方周末：Nginx

现有的东西

> dhparam.pem
> mydomain.com.crt
> mydomain.com.csr
> mydomain.com.key

问题：

我正在尝试通过创建客户端证书来创建客户端验证,然后使用Nginx将一个服务器请求验证到我的目标服务器.但是我经常收到400 Bad Request – 没有发送所需的SSL证书错误消息.我究竟做错了什么？这是我做的：

> openssl genrsa -out client.key 4096
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -sha256 -in client.csr -CA mydomain.com.crt -CAkey client.key -set_serial 2 -out client.crt

每个命令都成功运行,但错误仍然存在.同样在我的Nginx中,在目标服务器上,我有：

ssl_certificate         /etc/Nginx/ssl/mydomain.com.crt;
ssl_certificate_key     /etc/Nginx/ssl/mydomain.com.key;
ssl_client_certificate  /etc/Nginx/ssl/mydomain.com.crt;

Nginx配置：

server {
    listen 80;
    listen 443 ssl;

    ssl_dhparam /etc/Nginx/ssl/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    ssl_certificate         /etc/Nginx/ssl/mydomain.com.crt;
    ssl_certificate_key     /etc/Nginx/ssl/mydomain.com.key;
    ssl_client_certificate  /etc/Nginx/ssl/client.crt;

    ssl_verify_client optional;

    server_name uploads.mydomain.com;
    root /var/www/html/com.mydomain.uploads/public;

    error_log /var/log/Nginx/mydomain.com/error.log;
    access_log /var/log/Nginx/mydomain.com/access.log main;

    index index.PHP;

    rewrite ^/index\.PHP?(.*)$/$1 permanent;

    location / {
        try_files $uri @rewrite;
    }

    location @rewrite {
        rewrite ^(.*)$/index.PHP/$1 last;
    }

    location ~ ^/index.PHP(/|$) {
        fastcgi_pass unix:/var/run/PHP-fpm/uploads.sock;
        fastcgi_split_path_info ^(.+\.PHP)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SSL_CLIENT_VERIFY    $ssl_client_verify;
        fastcgi_param SSL_CLIENT_S_DN       $ssl_client_s_dn;
    }
}

最佳答案

这是一个非常愚蠢的错误,现在我为自己感到羞耻.

我认为网站证书与CA证书相同.所以现在我已经创建了新的ca.key和ca.crt文件,并与他们签署了客户证书,瞧.

certificate

上一篇：nginx错误页面和内部指令无法按预期下一篇：调试Nginx缓存未命中：尽管代理有效

nginx – SSL客户端认证

猜你在找的Nginx相关文章