I'm using nginx(1.1.9) for serving debian packages on https by using client certificate feature.
listen 443 ssl;
...
ssl_certificate /etc/ssl/ca.chain.crt;
ssl_certificate_key /etc/ssl/server.key;
#ssl_crl /etc/ssl/ca-crl.pem;
ssl_client_certificate /etc/ssl/ca.pem;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1;
...
error_log /var/log/nginx/error.log debug;
...
I use reprepro to config an apt repo.I can use apt-get update to this repo without any error but when I comment out ssl_crl in order to use revocation list, Log display:
client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: xxx.xxx.xxx.xxx, server: apt.myrepo.com, request: "GET /ubuntu/dists/precise/non-free/i18n/Translation-en HTTP/1.1", host: "apt.myrepo.com"
I'm not sure why nginx can find my certificate revocation list.
This occurs because nginx needs to have CRLs for every certificate that's mentioned in ssl_client_certificate cert chain, including the root CA's CRL.
I hit this myself when I created root and intermediate CAs in order to generate certs for intranet sites. When I configured nginx to use SSL client authentication, I only used the CRL from our intermediate CA. nginx needs to see the CRL for every certificate in the chain, including the intermediate CA, to make sure that the intermediate CA's certificate hasn't been revoked by the root. Concatenating the root CRL onto the intermediate CRL fixed the issue.
Notes
The default CRL expiration period (default_crl_days) is 30 days, so you'll need to work out a system for keeping everything up to date.
Thank you to this post, which I found after much Google-fu, that suggested I was missing another cert in the chain.
Related
I just installed iredmail on my VPS, and tried to install my ssl certificates. To do so I am modifying /etc/nginx/templates/ssl.tmpl to use these these lines instead of the self signed certificate:
ssl_certificate /etc/ssl/certs/vendify-ssl-certificate.pem;
ssl_certificate_key /etc/ssl/private/vendify-ssl-private-key.pem;
ssl_client_certificate /etc/ssl/certs/vendify-CA-CF-Cert.pem;
ssl_verify_client on;
However, when I do this, I get 400 Bad Request No required SSL certificate was sent and when I disable the ssl_verify_client on on my /etc/nginx/templates/ssl.tmpl, this error dissapears, but obviously, the certificate is not trusted, since it cannot be verified. I have enabled authenticated origin pulls on cloudflare's end, but this error still persists.
Thanks!
I have three files regarding certificates:
- example.com.ca-bundle # contains root and intermediate certificates
- example.com.crt # Certificate
- example.com.p7b # only contains certificates and chain certificates
I need to configure NGINX to accept HTTPS, but I feel a bit confused as I do not have the most experience with SSL, and most examples seem to use a certificate/key pair. Would this NGINX configuration be the correct approach?
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /path/to/example.com.crt;
ssl_certificate_key /path/to/example.com.crt;
...
}
Like others pointed out in the comments you need to use the private key for ssl_certificate_key. If it helps further, below is an excerpt from an Nginx configuration using Let's Encrypt SSL certificates. In some cases cert.pem is not enough and chain.pem is also needed for compatibility across more browsers and server types.
# Full chain fullchain.pem is just a concatenation of public key cert.pem and chain.pem. If you are using certbot this will be automatically created.
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
# Like others pointed out in the comments there should be a private key and not the cert file
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
You can use certbot (a tool by Let's Encrypt) to automate the generation of your certificates. Here is a link with Step by Step instructions for automating HTTPS / SSL Certificate setup for your Nginx Hosted Website
I purchased SSL certificate from a certain hoster and I got these 4 files
> SSL Certificate:
> CSR:
> Private Key:
> CA Certificate:
How can I install those files into my VPS server using Nginx? My hoster is not collaborative, and I have to figure out how to install this to my client site. All googling leads me to the normal installation where we generate CSR from my VPS, submit to hoster, get certificates, merge and then fix them with Nginx, but for this case, I'm totally confused
Any help, I will appreciate
Typically if you receive your server certificate and private key you would place those in a directory on your web server then target those files inside of your config file. This can be a full path or a path relative to the .conf file where this server is configured.
Configure HTTPS server
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /path/to/your/file.crt;
ssl_certificate_key /path/to/your/file.key;
}
Depending on your certificate provider they should have also given you a file that contains the CA chains necessary for browsers to validate your certificate. I'm guessing the file you call CA Certificate is that file. You will need to combine both your server certificate and the CA certificate, then target that file inside of your nginx conifiguration.
Example:
cat SSL_Certificate CA_Certificate > website.crt
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /path/to/your/website.crt;
ssl_certificate_key /path/to/your/website.key;
}
I'm totally new to NGINX. I would like to use the free version (not nginx plus) to load balance (reverse proxy) between 3 servers and the connection must be SSL / 443.
Do i put the SSL certificate on the NGINX load balancer server or do I put 3 x SSL certs on the 3 web servers individually? I've heard mixed reviews. I'm looking for best performance.
Additional info: i'm using a wildcard SSL cert and the web other web servers are IIS with IP_Hash to keep sessions on the same web servers.
Open your configuration file again for edit.
sudo nano /etc/nginx/conf.d/load-balancer.conf
Then add the following server segment to the end of the file.
server {
listen 443 ssl;
server_name domain_name;
ssl_certificate /etc/letsencrypt/live/domain_name/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
proxy_pass http://backend;
}
}
Then save the file, exit the editor and restart nginx again.
sudo systemctl restart nginx
With the HTTPS-enabled you also have the option to enforce encryption to all connections to your load balancer
server {
listen 80;
server_name domain_name;
return 301 https://$server_name$request_uri;
#location / {
# proxy_pass http://backend;
#}
}
Save the file again after you have made the changes. Then restart nginx.
sudo systemctl restart nginx
This question was asked already in the StackExchange network, but I'm going to try and answer your question anyway.
The performance impact should be noticeable, but it really depends on what you're running.
One thing to consider using multiple certificates, is that once the request hits the load balancer, it stays secure inside the datacenter/network.
This is useful, in cases where you don't own the hardware and don't have physical access to the machines/datacenter. This is because there are probably multiple people running servers and applications in a shared space and you can't know for sure if someone in that network is snooping around and watching the traffic. You just can't be sure that's not going to happen.
Using only one certificate (for the load balancer) is called 'SSL Offloading' and you can and should find out more about it here:
https://security.stackexchange.com/questions/30403/should-ssl-be-terminated-at-a-load-balancer
https://security.stackexchange.com/questions/79672/in-detail-how-does-ssl-offloading-acceleration-termination-work
SSL performance implications
https://serverfault.com/questions/112547/does-using-ssl-cause-a-significant-performance-hit
I'm trying to setup OCSP stapling on Nginx
I'm getting the error:
"ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"
Here's the file .conf
server {
ssl_certificate /etc/nginx/myfile.crt;
ssl_certificate_key /etc/nginx/myfile.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/myfile_trusted.crt;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 15s;
}
Please suggest a specific solution.
I've just met the same issue when testing a new nginx config with nginx -t (run as root); in my case the error message was:
2014/11/15 01:38:43 [warn] 5114#0: "ssl_stapling" ignored, host not found in OCSP responder "ocsp.startssl.com/sub/class1/server/ca"
However, I renewed my trial a second time a few seconds later and then it worked.
My advice are the following:
check that the configured resolver is responding (but I believe you used Google Public DNS so they should be okay);
try to remove the extraneous options (second resolver address, valid= parameter and resolver_timeout directive);
check that your ssl_trusted_certificate file is a bundle of both root CA certificate and intermediate certificate in PEM format (in my case I appended the Class 1 Intermediate Server CA to the root CA with # cat ca.pem sub.class1.server.ca.pem > bundle_certs.pem).
I just noticed your ssl_trusted_certificate file ends with .crt. I'm not sure whether this is really relevant but nginx documentation says (emphasis mine):
Syntax: ssl_trusted_certificate file;
Default: —
Context: http, server
This directive appeared in version 1.3.7.
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
So you may want to check this first.
If it may help my OCSP config is:
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
# see <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling>
ssl_stapling on;
resolver 192.168.1.254;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate https/bundle_certs.pem;
Edit: 192.168.1.254 being my home router LAN IP. Each time I test nginx config I get the same error the first time, I guess the resolver has to be initialized or something in the like.