Right off the bat there are a couple posts that go through this issue but I am unsure what the settings are doing exactly in order to achieve the correct result. I'm able to verify the client but not vice versa. I want the client to verify what's coming from the server.
Gist
server {
listen 443 ssl;
client_max_body_size 60M;
server_name example.com;
ssl_certificate /letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# Cadeia de Certificados
ssl_client_certificate /etc/nginx/certificados/cadeia-certificados.pem;
# Valida a hierarquia ( https://stackoverflow.com/questions/8431528/nginx-ssl-certificate-authentication-signed-by-intermediate-ca-chain )
ssl_verify_depth 2;
# Certificados revogados
# ssl_crl /etc/nginx/certificados/ca.crl;
# Exige o certificad do cliente
ssl_verify_client on;
location / {
# Passa o certificado obtido em formato pem para a aplicação
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Ssl on;
# proxy_set_header X-SSL-CERT $ssl_client_cert;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_pass http://10.0.0.1:3000;
}
ServerFault
The question I have is this in regards to the sample post from the gist.
What I want.
I want to have a mTLS between my devices and the nginx load balancer. What I have works but the setting of my mqtt client emulator (which is emqx) has an SSL secure setting. i.e.
Wheather a client verifies the server's certificate chain and host name.
When I use the setting it gives an error. Error: unable to verify the first certificate
The confusion for me is knowing what I need to have on my stored client CA that delivers to the Nginx server lb along with client crt and client key.
Is the ssl_client_certificate what is needed for this to work. I have that so I don't get why it is giving an error. I could put the intermediate in the chain. Right now it is only the root.
As well, I am not really seeing how the ssl_certificate is working to verify the client and client to verify the server. You have a let's encrypt in your example and I want the similar setup but that is a public CA so not seeing how it plays down to the client cert verifiers with the setting below.
Meaning, what does the let's encrypt have to do with anything. What does the key have to relate to? and are those keys certs. unrelated to the ssl_client_certificate
This is my configuration. from the device/client I provide the client.crt, client.key and a CA that has the intermediate cert in there.
streams:
ignored_key: |
stream {
upstream backend {
server emqx-ee:1883;
}
server {
listen *:31882 ssl;
proxy_pass backend;
ssl_certificate /mnt/nginx/certs/custom/intermediate-ca.crt;
ssl_certificate_key /mnt/nginx/certs/custom/intermediate-ca.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
ssl_client_certificate /mnt/nginx/certs/custom/root-ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
}
}
