Hi.

I'm trying to get nginx 1.6.2 to authenticate users using their client certificates.

I'm using this configuration (besides usual SSL settings, which are proved to work):

ssl_stapling on;
ssl_client_certificate /etc/nginx/certs/trusted.pem;
ssl_verify_client optional_no_ca;

trusted.pem contains 3 CA certificates: test CA and 2 production CA (main and intermediate).
To pass verification data to the application I'm using

fastcgi_param X-SSL-Verified $ssl_client_verify;
fastcgi_param X-SSL-Certificate $ssl_client_cert;
fastcgi_param X-SSL-IDN $ssl_client_i_dn;
fastcgi_param X-SSL-SDN $ssl_client_s_dn;

And here comes the issue: when using test CA and test cerificate, I'm getting X-SSL-Verified: SUCCESS, but when using production ones, I'm getting X-SSL-Verified: FAILED. You can say that there's a problem in my certificate bunch, but I tried to verify if the production certificate is really issued by the CA that I think about:

openssl verify -verbose -CAfile trusted.pem rt.cert
rt.cert: OK

Looks like it passes the verification. trusted.pem is the same that nginx uses. In the same time nginx thinks that certificate doesn't pass the test. Why can this happen ? I've also tried setting 'ssl_verify_client on;' - the only difference that I get the 400 answer, because the verification fails explicitely.

Thanks.