Hi. I'm using kubernete nginx ingress controller. I have scenario where users must authenticate by using X509 client certificate.
We implemented a solution where the client certificate is totally checked and verified by a back-end application written in java.
In my old environment I had a nginx ingress controller whith the following versions:
nginx version: nginx/1.17.10
OpenSSL 1.1.1g 21 Apr 2020
We configured the nginx ingress controller with the optional_no_ca property. All worked pretty good.
We had to change environment and we had an upgrade of the K8S ecosystem. Now our nginx ingress controller has these versions:
nginx version: nginx/1.19.2
OpenSSL 1.1.1g 21 Apr 2020
We configured the ingress controller with the optional_no_ca property and we see in our nginx.conf the following:
ssl_certificate_by_lua_block {
certificate.call()
}
# PEM sha:
ssl_client_certificate /etc/ingress-controller/ssl/ca-wso2is-collaudo-ca-agid-secret.pem;
ssl_verify_client optional_no_ca;
ssl_verify_depth 1;
error_page 495 496 = /cns/saml/dettaglio-utente;
We tried the authentication by using the same certificate used in old environment and now we get the following blocking error (I guess generated by OpenSSL):
2021/06/17 10:54:23 [crit] 12239#12239: *92007028 SSL_do_handshake() failed (SSL: error:0407E068:rsa routines:RSA_verify_PKCS1_PSS_mgf1:bad signature error:1417B07B:SSL routines:tls_process_cert_verify:bad signature) while SSL handshaking, client: 172.29.33.38, server: 0.0.0.0:443
Since there is this error the flow stopped and I can't proceed to the upstream server.
But what I'm wondering is: it's ok that openssl fails on verifying signature, what I want is that the pem certificate is passed to the upstream server in a specific HTTP header (exactly like in the old environment)
Why is this happening? How can I solve this?
Thank you