Nginx unable to get certificate CRL

Question

I'm using nginx(1.1.9) for serving debian packages on https by using client certificate feature.

listen 443 ssl;

 ...

 ssl_certificate     /etc/ssl/ca.chain.crt;
 ssl_certificate_key /etc/ssl/server.key;
 #ssl_crl             /etc/ssl/ca-crl.pem;
 ssl_client_certificate  /etc/ssl/ca.pem;
 ssl_verify_client   on; 
 ssl_verify_depth 2;   
 ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1;

 ...

 error_log /var/log/nginx/error.log debug;
 ...

I use reprepro to config an apt repo.I can use apt-get update to this repo without any error but when I comment out ssl_crl in order to use revocation list, Log display:

client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: xxx.xxx.xxx.xxx, server: apt.myrepo.com, request: "GET /ubuntu/dists/precise/non-free/i18n/Translation-en HTTP/1.1", host: "apt.myrepo.com"

I'm not sure why nginx can find my certificate revocation list.

Answer 1

This occurs because nginx needs to have CRLs for every certificate that's mentioned in ssl_client_certificate cert chain, including the root CA's CRL.

I hit this myself when I created root and intermediate CAs in order to generate certs for intranet sites. When I configured nginx to use SSL client authentication, I only used the CRL from our intermediate CA. nginx needs to see the CRL for every certificate in the chain, including the intermediate CA, to make sure that the intermediate CA's certificate hasn't been revoked by the root. Concatenating the root CRL onto the intermediate CRL fixed the issue.

---

Notes

• The default CRL expiration period (default_crl_days) is 30 days, so you'll need to work out a system for keeping everything up to date.
• Thank you to this post, which I found after much Google-fu, that suggested I was missing another cert in the chain.