Solved Nginx Certificate Authentication issue
-
Hi,
I recall scott made a video explaining VPN and comparing them with HTTPs with certificate based authentication.
I researched and got this sources:
https://gist.github.com/mtigas/952344I tried to implement it, using a test environment but failed.
I reached a point where nginx web server would give me an error that I need to supply SSL cert, but even if I download it and installed one on my chrome browser it wont connect.
400 Bad Request
No required SSL certificate was sent
nginx/1.10.2user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; # Settings for a TLS enabled server. server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name _; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_client_certificate "/etc/pki/nginx/ca.crt"; ssl_verify_client on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { proxy_set_header https://192.168.1.12 $remote_addr; #change to your frontend nginx IP proxy_set_header http://192.168.1.10 $proxy_add_x_forwarded_for; #change to your backend server IP proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://192.168.1.10; #change to your backend server IP proxy_redirect off; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } } -
@jaredbusch said in Nginx Certificate Authentication issue:
@emad-r said in Nginx Certificate Authentication issue:
@jaredbusch said in Nginx Certificate Authentication issue:
ls -laZ /etc/pki/nginx/ca.crt
-rw-r--r-- root root ?
i specified
-laZintentionally to show the SELinux context also.I don't have your directory setup, but this is what my
/etc/pki/tls/certslooks likedrwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:cert_t:s0 .. lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. root root unconfined_u:object_r:cert_t:s0 dhparam.pem -rwxr-xr-x. root root system_u:object_r:bin_t:s0 make-dummy-cert -rw-r--r--. root root system_u:object_r:cert_t:s0 Makefile -rwxr-xr-x. root root system_u:object_r:cert_t:s0 renew-dummy-certThanks this pointed me in the right direction, a useful guide coming soon
-
What have you done do configure your site?
I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.
This is my
nginx.confthat to my recollection has zero modifications.
[jbusch@nginxproxy ~]$ cat /etc/nginx/nginx.conf# For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen 80 default_server; listen [::]:80 default_server; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } server { listen 443 default_server; listen [::]:443 default_server; server_name _; root /usr/share/nginx/html; ssl on; ssl_certificate /etc/ssl/cacert.pem; ssl_certificate_key /etc/ssl/privkey.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } } -
Then for each site that I proxy, I have a specific *.conf file.
[jbusch@nginxproxy ~]$ ls -l /etc/nginx/conf.d/ total 68 -rw-r--r--. 1 root root 1334 May 12 14:37 assets.domaina.com.conf -rw-r--r--. 1 root root 446 Nov 16 2015 domainc.com.conf -rw-r--r--. 1 root root 1306 May 12 14:25 community.domaina.com.conf -rw-r--r--. 1 root root 1289 May 12 22:56 crm.domaina.com.conf -rw-r--r--. 1 root root 1092 May 26 14:02 domainb.com.conf -rw-r--r--. 1 root root 1253 May 12 14:27 helpdesk.domaina.com.conf -rw-r--r--. 1 root root 1087 May 29 13:18 naggaroth.domainb.com.conf -rw-r--r--. 1 root root 1226 May 12 14:28 domaind.com.conf -rw-r--r--. 1 root root 1235 May 12 14:29 nc.domaina.com.conf -rw-r--r--. 1 root root 1362 May 12 14:29 nc.domainb.com.conf -rw-r--r--. 1 root root 1237 May 12 14:29 obelisk.domainb.com.conf -rw-r--r--. 1 root root 1066 May 12 14:29 oc.domainb.com.conf -rw-r--r--. 1 root root 1110 May 12 14:30 domaine.com.conf -rw-r--r--. 1 root root 1273 May 12 14:31 support.domaina.com.conf -rw-r--r--. 1 root root 1257 May 12 14:31 timereport.domaina.com.conf -rw-r--r--. 1 root root 1247 Aug 1 17:45 unifi.domaina.com.conf -rw-r--r--. 1 root root 1290 Aug 1 15:51 unms.domaina.com.conf -
And here is what goes in a conf file that handles SSL.
[jbusch@nginxproxy ~]$ cat /etc/nginx/conf.d/community.domaina.com.conf server { client_max_body_size 40M; listen 443 ssl; server_name community.domaina.com; ssl on; ssl_certificate /etc/letsencrypt/live/support.domaina.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/support.domaina.com/privkey.pem; ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://10.254.0.35:4567; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { client_max_body_size 40M; listen 80; server_name community.domaina.com; rewrite ^ https://$server_name$request_uri? permanent; } -
As you can see, I obtained my SSL from LetsEncrypt and this is forwarding to a NodeBB forum
-
@jaredbusch said in Nginx Certificate Authentication issue:
What have you done do configure your site?
I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.
This is my
nginx.confthat to my recollection has zero modifications.
[jbusch@nginxproxy ~]$ cat /etc/nginx/nginx.conf# For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen 80 default_server; listen [::]:80 default_server; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } server { listen 443 default_server; listen [::]:443 default_server; server_name _; root /usr/share/nginx/html; ssl on; ssl_certificate /etc/ssl/cacert.pem; ssl_certificate_key /etc/ssl/privkey.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } }I can serve SSL content and I can proxy fine, thanks to a guide you wrote previously.
What I am wondering or want to accomplish is
ssl_client_certificate "/etc/pki/nginx/ca.crt"; ssl_verify_client on;Meaning no one can visit my https site, without installing .p12 cert on their browser, similar to VPN. Extra Security stuff.
-
@emad-r said in Nginx Certificate Authentication issue:
@jaredbusch said in Nginx Certificate Authentication issue:
What have you done do configure your site?
I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.
This is my
nginx.confthat to my recollection has zero modifications.
[jbusch@nginxproxy ~]$ cat /etc/nginx/nginx.conf# For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen 80 default_server; listen [::]:80 default_server; server_name _; root /usr/share/nginx/html; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } server { listen 443 default_server; listen [::]:443 default_server; server_name _; root /usr/share/nginx/html; ssl on; ssl_certificate /etc/ssl/cacert.pem; ssl_certificate_key /etc/ssl/privkey.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } }I can serve SSL content and I can proxy fine, thanks to a guide you wrote previously.
What I am wondering or want to accomplish is
ssl_client_certificate "/etc/pki/nginx/ca.crt"; ssl_verify_client on;Meaning no one can visit my https site, without installing .p12 cert on their browser, similar to VPN. Extra Security stuff.
ok, now I am following.
never tested that functionality myself form the admin side. Used it in the past as a user of someone else's system.
-
@emad-r who owns the file?
ls -laZ /etc/pki/nginx/ca.crt -
@jaredbusch said in Nginx Certificate Authentication issue:
ls -laZ /etc/pki/nginx/ca.crt
-rw-r--r-- root root ?
-
@emad-r said in Nginx Certificate Authentication issue:
@jaredbusch said in Nginx Certificate Authentication issue:
ls -laZ /etc/pki/nginx/ca.crt
-rw-r--r-- root root ?
i specified
-laZintentionally to show the SELinux context also.I don't have your directory setup, but this is what my
/etc/pki/tls/certslooks likedrwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:cert_t:s0 .. lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. root root unconfined_u:object_r:cert_t:s0 dhparam.pem -rwxr-xr-x. root root system_u:object_r:bin_t:s0 make-dummy-cert -rw-r--r--. root root system_u:object_r:cert_t:s0 Makefile -rwxr-xr-x. root root system_u:object_r:cert_t:s0 renew-dummy-cert -
@jaredbusch said in Nginx Certificate Authentication issue:
@emad-r said in Nginx Certificate Authentication issue:
@jaredbusch said in Nginx Certificate Authentication issue:
ls -laZ /etc/pki/nginx/ca.crt
-rw-r--r-- root root ?
i specified
-laZintentionally to show the SELinux context also.I don't have your directory setup, but this is what my
/etc/pki/tls/certslooks likedrwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:cert_t:s0 .. lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. root root unconfined_u:object_r:cert_t:s0 dhparam.pem -rwxr-xr-x. root root system_u:object_r:bin_t:s0 make-dummy-cert -rw-r--r--. root root system_u:object_r:cert_t:s0 Makefile -rwxr-xr-x. root root system_u:object_r:cert_t:s0 renew-dummy-certI see, I think my issue is related to openssl and CA setup, a missing step some where, was hoping for some easy setup guide so we can use this method instead of VPN, this would be a quicker and very secure way for special scenarios.
Cause I am testing this, Selinux is disabled. Once I succeed if I do I document then re-enable security features and test again.
-
@emad-r said in Nginx Certificate Authentication issue:
@jaredbusch said in Nginx Certificate Authentication issue:
@emad-r said in Nginx Certificate Authentication issue:
@jaredbusch said in Nginx Certificate Authentication issue:
ls -laZ /etc/pki/nginx/ca.crt
-rw-r--r-- root root ?
i specified
-laZintentionally to show the SELinux context also.I don't have your directory setup, but this is what my
/etc/pki/tls/certslooks likedrwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:cert_t:s0 .. lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. root root unconfined_u:object_r:cert_t:s0 dhparam.pem -rwxr-xr-x. root root system_u:object_r:bin_t:s0 make-dummy-cert -rw-r--r--. root root system_u:object_r:cert_t:s0 Makefile -rwxr-xr-x. root root system_u:object_r:cert_t:s0 renew-dummy-certI see, I think my issue is related to openssl and CA setup, a missing step some where, was hoping for some easy setup guide so we can use this method instead of VPN, this would be a quicker and very secure way for special scenarios.
Not sure what else you need. Point to the private key and the certificate.
Cause I am testing this, Selinux is disabled. Once I succeed if I do I document then re-enable security features and test again.
Always useful for eliminating a potential configuration problem.
-
@jaredbusch said in Nginx Certificate Authentication issue:
@emad-r said in Nginx Certificate Authentication issue:
@jaredbusch said in Nginx Certificate Authentication issue:
ls -laZ /etc/pki/nginx/ca.crt
-rw-r--r-- root root ?
i specified
-laZintentionally to show the SELinux context also.I don't have your directory setup, but this is what my
/etc/pki/tls/certslooks likedrwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:cert_t:s0 .. lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. root root unconfined_u:object_r:cert_t:s0 dhparam.pem -rwxr-xr-x. root root system_u:object_r:bin_t:s0 make-dummy-cert -rw-r--r--. root root system_u:object_r:cert_t:s0 Makefile -rwxr-xr-x. root root system_u:object_r:cert_t:s0 renew-dummy-certThanks this pointed me in the right direction, a useful guide coming soon
