NGINX can't validate CRL
August 30, 2023 07:26AM
Hi, i'm configuring a NGINX server with Docker, and i want to validate the SSL Certificate from UpStream Servers, but unfortunately NGINX can't validate the URL or the OCSP inside of the certificate. So i need to provide the CRL mannually. I develope the following script to update the CRL inside of NGINX, there is a better way without reload nginx?

#!/bin/bash
curl -o /home/spacelabs/edger/crl.crl http://crl.certify.spacelabsws.pt/CertEnroll/SpaceLabs%20Self%20Certificates%20Service%20CA.crl
openssl crl -in /home/spacelabs/edger/crl.crl -inform DER -out /home/spacelabs/edger/crl.pem
docker cp /home/spacelabs/edger/crl.pem edger_reversesl_1:/etc/nginx/certs/crl.pem
docker exec edger_reversesl_1 nginx -s reload

server {
listen 443 ssl;
server_name sage.org;

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

location / {
proxy_pass "https://sage.org:8443/";
proxy_ssl_trusted_certificate /etc/nginx/certs/ca-origin.pem;
proxy_ssl_verify on;
proxy_ssl_crl /etc/nginx/certs/crl.pem;
}

ssl_certificate /etc/nginx/certs/sage.pem;
ssl_certificate_key /etc/nginx/certs/sage.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;

ssl_trusted_certificate /etc/nginx/certs/ca-edge.pem;

resolver 192.168.1.13;
}



Edited 1 time(s). Last edit at 08/30/2023 07:27AM by dev.tomas2003.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 312
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready