Hello!

On Tue, Feb 18, 2020 at 12:58:26PM -0500, trstringer wrote:

> I am attempting to add CRL support to my nginx proxy, and it seems to not be
> working due to the following error:
>
> client SSL certificate verify error: (3:unable to get certificate CRL) while
> reading client request headers
>
> From my research, this is because nginx senses a missing CRL. But here is
> the structure of my client certificate (it has the full chain of
> certificates in it):
>
> Certificate:
> Data:
> ...
> X509v3 extensions:
> ...
> X509v3 Key Usage: critical
> Certificate Sign, CRL Sign
>
> Certificate:
> Data:
> ...
> X509v3 extensions:
> ...
> X509v3 CRL Distribution Points:
> Full Name:
> URI:http://uri1
>
> Certificate:
> Data:
> ...
> X509v3 extensions:
> ...
> X509v3 Key Usage: critical
> Certificate Sign, CRL Sign
>
> Certificate:
> Data:
> ...
> X509v3 extensions:
> ...
> X509v3 CRL Distribution Points:
> Full Name:
> URI:http://uri2
> URI:http://uri3
> URI:http://uri4
>
> I take the following steps:
>
> 1. curl and convert output from url1 to PEM.
> 2. curl and convert output from url2 to PEM.
> 3. Concat the two outputs into the same file.
> 4. Specify this file in nginx config for ssl_crl.
>
> But I get the above error.
>
> Any thoughts on what I'm doing wrong? My understanding is that I should be
> able to safely ignore url3, and url4.

You need CRLs for all certificates in the chain.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx