Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Client certificate prompt not showing nginx

Tags:

nginx

ssl

I have got a ca certificate bundle trying to integrate client certificate authentication on nginx at the browser level i am not able to get a prompt asking for certificate to be sent for ssl authentication. I am not sure what's missed out here any help in this regard would be highly appreciated.

Below is the configuration of nginx

    #
    # HTTPS server configuration
    #

    server {
        listen          10.0.111.118:8443;
        ssl         on;
            server_name     reverseproxy.in;

        ### SSL cert files ###
            ssl_certificate      conf.d/MonetServer.cer;
            ssl_certificate_key  conf.d/MonetServer.key;
            ssl_client_certificate      conf.d/Bundle.crt;



        ssl_verify_client on;

        server_tokens off; 
        access_log      logs/ssl/esmarts-access.log;
        error_log       logs/ssl/esmarts-error.log;
        proxy_set_header  Host $host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_set_header  X-Floof-SSL-Client-Serial $ssl_client_serial;
        proxy_set_header  X-Floof-SSL-Client-Verify $ssl_client_verify;






        ### We want full access to SSL via backend ###
            location / {
                proxy_pass  http://10.0.111.125:8080/esmart/index.html;

            ### force timeouts if one of backend is died ##
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

            ### Set headers ####
                    proxy_set_header        Accept-Encoding   "";
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-SSL-Client-S-DN   $ssl_client_cert;
            ### Most PHP, Python, Rails, Java App can use this header ###
            #proxy_set_header X-Forwarded-Proto https;##
            #This is better##
                proxy_set_header        X-Forwarded-Proto $scheme;
            add_header              Front-End-Https   on;


            ### By default we don't want to redirect it ####
                proxy_redirect     off;
          }

          location /esmart/VAADIN
           {

         proxy_pass  http://10.0.111.125:8080/esmart/VAADIN;

                    ### force timeouts if one of backend is died ##
                    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                    ### Set headers ####
                    proxy_set_header        Accept-Encoding   "";
                    proxy_set_header        Host            $host;
                    proxy_set_header        X-Real-IP       $remote_addr;
                    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-SSL-Client-S-DN   $ssl_client_cert;
                    ### Most PHP, Python, Rails, Java App can use this header ###
                    #proxy_set_header X-Forwarded-Proto https;##
                    #This is better##
                    proxy_set_header        X-Forwarded-Proto $scheme;
                    add_header              Front-End-Https   on;


                    ### By default we don't want to redirect it ####
                    proxy_redirect     off;
           }

          location /esmart/jsp
           {

         proxy_pass  http://10.0.111.125:8080/esmart/jsp;

                    ### force timeouts if one of backend is died ##
                    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                    ### Set headers ####
                    proxy_set_header        Accept-Encoding   "";
                    proxy_set_header        Host            $host;
                    proxy_set_header        X-Real-IP       $remote_addr;
                    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-SSL-Client-S-DN   $ssl_client_cert;


                    ### Most PHP, Python, Rails, Java App can use this header ###
                    #proxy_set_header X-Forwarded-Proto https;##
                    #This is better##
                    proxy_set_header        X-Forwarded-Proto $scheme;
                    add_header              Front-End-Https   on;


                    ### By default we don't want to redirect it ####
                    proxy_redirect     off;
           }


          location /esmart/APP
           {

         proxy_pass  http://10.0.111.125:8080/esmart/APP;

                    ### force timeouts if one of backend is died ##
                    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                    ### Set headers ####
                    proxy_set_header        Accept-Encoding   "";
                    proxy_set_header        Host            $host;
                    proxy_set_header        X-Real-IP       $remote_addr;
                    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-SSL-Client-S-DN   $ssl_client_cert;

                    ### Most PHP, Python, Rails, Java App can use this header ###
                    #proxy_set_header X-Forwarded-Proto https;##
                    #This is better##
                    proxy_set_header        X-Forwarded-Proto $scheme;
                    add_header              Front-End-Https   on;


                    ### By default we don't want to redirect it ####
                    proxy_redirect     off;
           }





      }

I kept getting the error

400 Bad Request

No required SSL certificate was sent

Have already installed client certificate on my pc , Problem here is that i assume the browser is not requesting for the client certificate which is already installed on the client.

like image 313
zeemz Avatar asked Jul 28 '14 11:07

zeemz

1 Answers

Just posted an answer here: https://serverfault.com/a/764509/344286

Make sure you can authenticate using cURL to validate that your nginx is set up correctly. Once you've confirmed this, you can focus on generating a PKCS12 profile and installing that in the browser.

like image 80
user2325282 Avatar answered Sep 25 '22 06:09

user2325282
Sign in to Comment

Related questions

HTTPS through proxy completely encrypted, including SSL CONNECT
How to make a TLS request using a smartcard with python?
client certificate not sent by postman
.Net program does not get validated server certificate
CA Cert are only added at ca-bundle-trust.crt
Can't install CA certificate on Android 11 on Work Profile
SSL WCF "Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'
Is performing login with https but then everything in http all a bit pointless?
Direct URLs to access reports - JasperServer
SEVERE: Failed to load keystore type JKS with path webapps/FT.keystore due to signed overrun, bytes = 128 on TomCat 6 startup
jquery and post method security with an https url
"Missing redirect_uri parameter" response from Facebook with Python/Django
SSL received a record that exceeded the maximum permissible length when modifying request with fiddler
Attach an ENGINE context to a SSL_CTX
Why would some HTTPS requests fail to decrypt on Fiddler, while some works ?
nodejs - UNABLE_TO_VERIFY_LEAF_SIGNATURE with self-signed certificate
SSL version error when cloning with TortoiseHG https mode
Invoke EJB from WildFly safely
RCurl and self-signed certificate issues
Apache HTTPS reverse proxy with SNI without key on the proxy

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!