400 Bad Request: The SSL certificate error

Question

I get this error when I try to get page with client key and certificate using this command:

curl -v -s --key /home/dmitry/Downloads/client_cert/client.mysite.key --cert /home/dmitry/Downloads/client_cert/client.mysite.crt https://mysite.com/api/login/

Here's what I see in nginx logs:

2014/12/08 06:30:55 [crit] 13087#0: *404 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443

And here is part of my nginx.conf:

server {
    listen  443 ssl;

    ssl_certificate     /home/mysite/conf/dev/ssl/com.mysite.crt;
    ssl_certificate_key /home/mysite/conf/dev/ssl/com.mysite.key;
    ssl_client_certificate /home/mysite/conf/dev/ssl/com.mysite.crt;
    ssl_verify_client optional; 
    ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    server_name   mysite.com www.mysite.com;
    access_log    /home/mysite/logs/nginx_access.log;
    error_log     /home/mysite/logs/nginx_error.log;

    location /api/{
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;

        proxy_set_header SSL-client-serial $ssl_client_serial;
        proxy_set_header SSL-client-dn $ssl_client_s_dn;
        proxy_set_header SSL-client-verify $ssl_client_verify;

        if ($ssl_client_verify != SUCCESS) {
            return 403;
            break;
        }
    }
}

Here are the commands I've used to create client cert:

openssl req -out client.mysite.csr -new -newkey rsa:2048 -nodes -keyout client.mysite.key
openssl x509 -req -days 3650 -in client.mysite.csr -CA com.mysite.crt -CAkey com.mysite.key -set_serial 01 -out client.mysite.crt

What could be wrong here? Should I use some other certificate as CA for my client cert than server cert?

UPDATE:

When I do

openssl verify -CAfile com.mysite.crt client.mysite.crt

I get:

error 20 at 0 depth lookup:unable to get local issuer certificate

Answer 1

First of all, enable debug log in nginx.conf:

error_log  logs/error.log debug;

And restart nginx. Then repeat the request and check the log file. Find the first line with verify:0:

2019/12/05 22:34:50 [debug] 5980#9776: *17 verify:0, error:20, depth:0, subject:"/CN=...", issuer:"/CN=..."

Here you see error:20. The error code comes from OpenSSL. Here you can find the constant name by code and here the corresponding description by constant name.

Alternatively you can verify the certificate using openssl command line tool:

openssl verify -CAfile ca.crt client.crt

To verify it as the server sees it, ca.crt has to be the file listed in ssl_client_certificate or ssl_trusted_certificate directive in nginx.conf.

To verify the certificate on its own, ca.crt has to be the certificate that was used to sign client.crt. If it is self-signed, it'll be client.crt itself (client.crt will be twice in a row).

If you're getting error 20 specifically and your client certificate is self-signed, you might have encountered this bug. To fix it you should either drop keyUsage from your certificate entirely or add keyCertSign to the list. To verify whether you've stumbled upon it, check whether Key Usage is listed in X509v3 extensions: section in the output of the following command:

openssl x509 -in client.crt -text -noout