• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Nginx Client Authentication SSL

K

klodoma

New Pleskian
Scenario:
- one domain is secured with Let's Encrypt ssl certificate. All works well.
- for a specific "location"(eg: /private) we want to add SSL Authentication
- we tried this through apache, but that always fails because nginx is the proxy
- we would like to generate the client certificates (some reference: Securing Websites With Nginx And Client-Side Certificate Authentication On Linux - Arcweb Technologies)

The PROBLEM:
- ssl_client_certificate is generated by the let's encrypt extension. This is renewed every 3 months.
- for our use-case we could use our own self-signed CA but we cannot add that to the nginx configuration, because
ssl_client_certificate already exists.

Any ideas how to get this working? Solutions?

There is an old thread here, but not sure if anyone is still active on it.
Question - SSL Client Authentication Nginx
 
Why is ssl_client_certificate set anyway? In a standard setup, this is rather unnecessary.
Just overwrite that with your (self-made) CA certificate. Or append your certificate.pem to the referenced file.

@Peter Debik This is completely independent from the certificate nginx uses as host key which requires only ssl_certificate and ssl_certificate_key to be set.
Using a Let'sEncrypt certificate as ssl_client_certificate means you can authenticate OCSP responses and other Let'sEncrypt users' client certificates. The certificate chain for the former should be appended to the ssl_certificate anyway, and I can't think of any use case for the latter (because everyone can get a Let'sEncrypt certificate easily and you shouldn't base any auth just on the existence of one).

So IMO the extension setting ssl_client_certificate would be a bug.
 
I got it working. As I understand, the Client Authentication has nothing todo with the https encryption.

These configs are added in: Additional nginx directives

A very simple config(server CRT only) (add in
Code: 
# server certificate
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
# make verification mandatory
ssl_verify_client on;

A more detailed config(CRT + CRL)
Code: 
# server certificate (CRL + CRT)
ssl_crl /etc/ssl/server/mydomain/ca.crl;
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
ssl_verify_depth 2;

# make verification mandatory
ssl_verify_client on;

# display this error page if SSL Certification fails
error_page 495 496 497 /error400.html;

There are several online resources how to generate the certificates, but I used this tutorial, it's very well explained and it's comprehensive (including intermediates) and certificate revocation lists.

OpenSSL Certificate Authority — Jamie Nguyen

This guide demonstrates how to act as your own certificate authority (CA) using the OpenSSL command-line tools.
jamielinux.com
 
klodoma said:
I got it working. As I understand, the Client Authentication has nothing todo with the https encryption.

These configs are added in: Additional nginx directives

A very simple config(server CRT only) (add in
Code: 
# server certificate
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
# make verification mandatory
ssl_verify_client on;

A more detailed config(CRT + CRL)
Code: 
# server certificate (CRL + CRT)
ssl_crl /etc/ssl/server/mydomain/ca.crl;
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
ssl_verify_depth 2;

# make verification mandatory
ssl_verify_client on;

# display this error page if SSL Certification fails
error_page 495 496 497 /error400.html;

There are several online resources how to generate the certificates, but I used this tutorial, it's very well explained and it's comprehensive (including intermediates) and certificate revocation lists.

OpenSSL Certificate Authority — Jamie Nguyen

This guide demonstrates how to act as your own certificate authority (CA) using the OpenSSL command-line tools.
jamielinux.com
Click to expand...
Good guide - thank you !
But now let's encrypt certs do not update anymore...
Does anyone have any idea ?
 
You must log in or register to reply here.

Similar threads

flederwiesel
Question `SSLVerifyClient require` -> AH10158: cannot perform post-handshake authentication
Replies
0
Views
724
flederwiesel
flederwiesel
W
Question SSL Cert for Mail-Server
Replies
1
Views
626
Kaspar
K
QWeb Ric
Issue Server pool SSL not showing for selection
Replies
0
Views
392
QWeb Ric
QWeb Ric
H
Resolved Problem with install Let's Encrypt SSL/TLS certificate
Replies
6
Views
2K
HungLuu
H
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
2K
Leta
L
Back
Top