• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

Question Nginx Client Authentication SSL

K

klodoma

New Pleskian
Scenario:
- one domain is secured with Let's Encrypt ssl certificate. All works well.
- for a specific "location"(eg: /private) we want to add SSL Authentication
- we tried this through apache, but that always fails because nginx is the proxy
- we would like to generate the client certificates (some reference: Securing Websites With Nginx And Client-Side Certificate Authentication On Linux - Arcweb Technologies)

The PROBLEM:
- ssl_client_certificate is generated by the let's encrypt extension. This is renewed every 3 months.
- for our use-case we could use our own self-signed CA but we cannot add that to the nginx configuration, because
ssl_client_certificate already exists.

Any ideas how to get this working? Solutions?

There is an old thread here, but not sure if anyone is still active on it.
Question - SSL Client Authentication Nginx
 
Why is ssl_client_certificate set anyway? In a standard setup, this is rather unnecessary.
Just overwrite that with your (self-made) CA certificate. Or append your certificate.pem to the referenced file.

@Peter Debik This is completely independent from the certificate nginx uses as host key which requires only ssl_certificate and ssl_certificate_key to be set.
Using a Let'sEncrypt certificate as ssl_client_certificate means you can authenticate OCSP responses and other Let'sEncrypt users' client certificates. The certificate chain for the former should be appended to the ssl_certificate anyway, and I can't think of any use case for the latter (because everyone can get a Let'sEncrypt certificate easily and you shouldn't base any auth just on the existence of one).

So IMO the extension setting ssl_client_certificate would be a bug.
 
I got it working. As I understand, the Client Authentication has nothing todo with the https encryption.

These configs are added in: Additional nginx directives

A very simple config(server CRT only) (add in
Code: 
# server certificate
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
# make verification mandatory
ssl_verify_client on;

A more detailed config(CRT + CRL)
Code: 
# server certificate (CRL + CRT)
ssl_crl /etc/ssl/server/mydomain/ca.crl;
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
ssl_verify_depth 2;

# make verification mandatory
ssl_verify_client on;

# display this error page if SSL Certification fails
error_page 495 496 497 /error400.html;

There are several online resources how to generate the certificates, but I used this tutorial, it's very well explained and it's comprehensive (including intermediates) and certificate revocation lists.

OpenSSL Certificate Authority — Jamie Nguyen

This guide demonstrates how to act as your own certificate authority (CA) using the OpenSSL command-line tools.
jamielinux.com
 
klodoma said:
I got it working. As I understand, the Client Authentication has nothing todo with the https encryption.

These configs are added in: Additional nginx directives

A very simple config(server CRT only) (add in
Code: 
# server certificate
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
# make verification mandatory
ssl_verify_client on;

A more detailed config(CRT + CRL)
Code: 
# server certificate (CRL + CRT)
ssl_crl /etc/ssl/server/mydomain/ca.crl;
ssl_client_certificate /etc/ssl/server/mydomain/ca.crt;
ssl_verify_depth 2;

# make verification mandatory
ssl_verify_client on;

# display this error page if SSL Certification fails
error_page 495 496 497 /error400.html;

There are several online resources how to generate the certificates, but I used this tutorial, it's very well explained and it's comprehensive (including intermediates) and certificate revocation lists.

OpenSSL Certificate Authority — Jamie Nguyen

This guide demonstrates how to act as your own certificate authority (CA) using the OpenSSL command-line tools.
jamielinux.com
Click to expand...
Good guide - thank you !
But now let's encrypt certs do not update anymore...
Does anyone have any idea ?
 
You must log in or register to reply here.

Similar threads

khalidbochajra
Issue My Plesk mail server is broken (DNS maybe!)
Replies
2
Views
924
MHC_1
M
N
Issue 421 Misdirected Request on Apache-only Plesk server after recent Apache update (CVE-2025-23048)
Replies
2
Views
7K
NatuurlijkHosting
N
Pascal_Netenvie
Issue Too much redirections ... Solved by clearing NGINX cache
Replies
3
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
M
Issue Plesk showing Cloudflare Origin CA cert, but server still serving Google Trust cert
Replies
3
Views
6K
mauricekindermann
M
Bitpalast
Forwarded to devs SSL auto-renewal attemps do not stop after removing cert and disabling SSL
Replies
6
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top