• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Nginx Client Authentication SSL

K

klodoma

New Pleskian
Scenario:
- one domain is secured with Let's Encrypt ssl certificate. All works well.
- for a specific "location"(eg: /private) we want to add SSL Authentication
- we tried this through apache, but that always fails because nginx is the proxy
- we would like to generate the client certificates (some reference: Securing Websites With Nginx And Client-Side Certificate Authentication On Linux - Arcweb Technologies)

The PROBLEM:
- ssl_client_certificate is generated by the let's encrypt extension. This is renewed every 3 months.
- for our use-case we could use our own self-signed CA but we cannot add that to the nginx configuration, because
ssl_client_certificate already exists.

Any ideas how to get this working? Solutions?

There is an old thread here, but not sure if anyone is still active on it.
Question - SSL Client Authentication Nginx
 
Why is ssl_client_certificate set anyway? In a standard setup, this is rather unnecessary.
Just overwrite that with your (self-made) CA certificate. Or append your certificate.pem to the referenced file.

@Peter Debik This is completely independent from the certificate nginx uses as host key which requires only ssl_certificate and ssl_certificate_key to be set.
Using a Let'sEncrypt certificate as ssl_client_certificate means you can authenticate OCSP responses and other Let'sEncrypt users' client certificates. The certificate chain for the former should be appended to the ssl_certificate anyway, and I can't think of any use case for the latter (because everyone can get a Let'sEncrypt certificate easily and you shouldn't base any auth just on the existence of one).

So IMO the extension setting ssl_client_certificate would be a bug.
 
I got it working. As I understand, the Client Authentication has nothing todo with the https encryption.

These configs are added in: Additional nginx directives

A very simple config(server CRT only) (add in
Code: 
# server certificate
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
# make verification mandatory
ssl_verify_client on;

A more detailed config(CRT + CRL)
Code: 
# server certificate (CRL + CRT)
ssl_crl /etc/ssl/server/mydomain/ca.crl;
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
ssl_verify_depth 2;

# make verification mandatory
ssl_verify_client on;

# display this error page if SSL Certification fails
error_page 495 496 497 /error400.html;

There are several online resources how to generate the certificates, but I used this tutorial, it's very well explained and it's comprehensive (including intermediates) and certificate revocation lists.

OpenSSL Certificate Authority — Jamie Nguyen

This guide demonstrates how to act as your own certificate authority (CA) using the OpenSSL command-line tools.
jamielinux.com
 
klodoma said:
I got it working. As I understand, the Client Authentication has nothing todo with the https encryption.

These configs are added in: Additional nginx directives

A very simple config(server CRT only) (add in
Code: 
# server certificate
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
# make verification mandatory
ssl_verify_client on;

A more detailed config(CRT + CRL)
Code: 
# server certificate (CRL + CRT)
ssl_crl /etc/ssl/server/mydomain/ca.crl;
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
ssl_verify_depth 2;

# make verification mandatory
ssl_verify_client on;

# display this error page if SSL Certification fails
error_page 495 496 497 /error400.html;

There are several online resources how to generate the certificates, but I used this tutorial, it's very well explained and it's comprehensive (including intermediates) and certificate revocation lists.

OpenSSL Certificate Authority — Jamie Nguyen

This guide demonstrates how to act as your own certificate authority (CA) using the OpenSSL command-line tools.
jamielinux.com
Click to expand...
Good guide - thank you !
But now let's encrypt certs do not update anymore...
Does anyone have any idea ?
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
28
Views
6K
marcoherzog
M
D
Issue can only create webmail certificates
Replies
1
Views
384
deepnpisgah
D
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
262
futureweb
futureweb
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
636
deepnpisgah
D
D
Question NGINX Unit on server under plesk
Replies
4
Views
362
trialotto
T
Back
Top