操作系统:CentOS 7
南方周末:Nginx
现有的东西
> dhparam.pem
> mydomain.com.crt
> mydomain.com.csr
> mydomain.com.key
问题:
我正在尝试通过创建客户端证书来创建客户端验证,然后使用Nginx将一个服务器请求验证到我的目标服务器.但是我经常收到400 Bad Request – 没有发送所需的SSL证书错误消息.我究竟做错了什么?这是我做的:
> openssl genrsa -out client.key 4096
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -sha256 -in client.csr -CA mydomain.com.crt -CAkey client.key -set_serial 2 -out client.crt
每个命令都成功运行,但错误仍然存在.同样在我的Nginx中,在目标服务器上,我有:
Nginx配置:
server {listen 80;listen 443 ssl;ssl_dhparam /etc/Nginx/ssl/dhparam.pem;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";ssl_certificate /etc/Nginx/ssl/mydomain.com.crt;ssl_certificate_key /etc/Nginx/ssl/mydomain.com.key;ssl_client_certificate /etc/Nginx/ssl/client.crt;ssl_verify_client optional;server_name uploads.mydomain.com;root /var/www/html/com.mydomain.uploads/public;error_log /var/log/Nginx/mydomain.com/error.log;access_log /var/log/Nginx/mydomain.com/access.log main;index index.PHP;rewrite ^/index\.PHP?(.*)$/$1 permanent;location / {try_files $uri @rewrite;}location @rewrite {rewrite ^(.*)$/index.PHP/$1 last;}location ~ ^/index.PHP(/|$) {fastcgi_pass unix:/var/run/PHP-fpm/uploads.sock;fastcgi_split_path_info ^(.+\.PHP)(/.*)$;include fastcgi_params;fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;}}
最佳答案
