Solved Nginx Certificate Authentication issue

Emad R

Hi,

I recall scott made a video explaining VPN and comparing them with HTTPs with certificate based authentication.

I researched and got this sources:
https://gist.github.com/mtigas/952344

I tried to implement it, using a test environment but failed.

I reached a point where nginx web server would give me an error that I need to supply SSL cert, but even if I download it and installed one on my chrome browser it wont connect.

400 Bad Request

No required SSL certificate was sent
nginx/1.10.2

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
		ssl_client_certificate "/etc/pki/nginx/ca.crt";
		ssl_verify_client on;
        
		# Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
		proxy_set_header https://192.168.1.12 $remote_addr; #change to your frontend nginx IP
		proxy_set_header http://192.168.1.10 $proxy_add_x_forwarded_for; #change to your backend server IP
		proxy_set_header Host $http_host;
		proxy_set_header X-NginX-Proxy true;
		proxy_pass http://192.168.1.10;	#change to your backend server IP
		proxy_redirect off;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

Emad R

@jaredbusch said in Nginx Certificate Authentication issue:

@emad-r said in Nginx Certificate Authentication issue:

@jaredbusch said in Nginx Certificate Authentication issue:

ls -laZ /etc/pki/nginx/ca.crt

-rw-r--r-- root root ?

i specified -laZ intentionally to show the SELinux context also.

I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
-rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
-rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert

Thanks this pointed me in the right direction, a useful guide coming soon

JaredBusch

What have you done do configure your site?

I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.

This is my nginx.conf that to my recollection has zero modifications.
[jbusch@nginxproxy ~]$ cat /etc/nginx/nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
    server {
        listen       443 default_server;
        listen       [::]:443 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
        ssl          on;
        ssl_certificate /etc/ssl/cacert.pem;
        ssl_certificate_key /etc/ssl/privkey.pem;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

JaredBusch

Then for each site that I proxy, I have a specific *.conf file.

[jbusch@nginxproxy ~]$ ls -l /etc/nginx/conf.d/
total 68
-rw-r--r--. 1 root root 1334 May 12 14:37 assets.domaina.com.conf
-rw-r--r--. 1 root root  446 Nov 16  2015 domainc.com.conf
-rw-r--r--. 1 root root 1306 May 12 14:25 community.domaina.com.conf
-rw-r--r--. 1 root root 1289 May 12 22:56 crm.domaina.com.conf
-rw-r--r--. 1 root root 1092 May 26 14:02 domainb.com.conf
-rw-r--r--. 1 root root 1253 May 12 14:27 helpdesk.domaina.com.conf
-rw-r--r--. 1 root root 1087 May 29 13:18 naggaroth.domainb.com.conf
-rw-r--r--. 1 root root 1226 May 12 14:28 domaind.com.conf
-rw-r--r--. 1 root root 1235 May 12 14:29 nc.domaina.com.conf
-rw-r--r--. 1 root root 1362 May 12 14:29 nc.domainb.com.conf
-rw-r--r--. 1 root root 1237 May 12 14:29 obelisk.domainb.com.conf
-rw-r--r--. 1 root root 1066 May 12 14:29 oc.domainb.com.conf
-rw-r--r--. 1 root root 1110 May 12 14:30 domaine.com.conf
-rw-r--r--. 1 root root 1273 May 12 14:31 support.domaina.com.conf
-rw-r--r--. 1 root root 1257 May 12 14:31 timereport.domaina.com.conf
-rw-r--r--. 1 root root 1247 Aug  1 17:45 unifi.domaina.com.conf
-rw-r--r--. 1 root root 1290 Aug  1 15:51 unms.domaina.com.conf

JaredBusch

And here is what goes in a conf file that handles SSL.

[jbusch@nginxproxy ~]$ cat /etc/nginx/conf.d/community.domaina.com.conf
server {
    client_max_body_size 40M;
    listen 443 ssl;
    server_name community.domaina.com;
    ssl          on;
    ssl_certificate /etc/letsencrypt/live/support.domaina.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/support.domaina.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://10.254.0.35:4567;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }
}
server {
    client_max_body_size 40M;
    listen 80;
    server_name community.domaina.com;
    rewrite        ^ https://$server_name$request_uri? permanent;
}

JaredBusch

As you can see, I obtained my SSL from LetsEncrypt and this is forwarding to a NodeBB forum

Emad R

@jaredbusch said in Nginx Certificate Authentication issue:

What have you done do configure your site?

I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.

This is my nginx.conf that to my recollection has zero modifications.
[jbusch@nginxproxy ~]$ cat /etc/nginx/nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
    server {
        listen       443 default_server;
        listen       [::]:443 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
        ssl          on;
        ssl_certificate /etc/ssl/cacert.pem;
        ssl_certificate_key /etc/ssl/privkey.pem;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

I can serve SSL content and I can proxy fine, thanks to a guide you wrote previously.

What I am wondering or want to accomplish is

	ssl_client_certificate "/etc/pki/nginx/ca.crt";		
	ssl_verify_client on;

Meaning no one can visit my https site, without installing .p12 cert on their browser, similar to VPN. Extra Security stuff.

JaredBusch

@emad-r said in Nginx Certificate Authentication issue:

@jaredbusch said in Nginx Certificate Authentication issue:

What have you done do configure your site?

I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.

This is my nginx.conf that to my recollection has zero modifications.
[jbusch@nginxproxy ~]$ cat /etc/nginx/nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
    server {
        listen       443 default_server;
        listen       [::]:443 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
        ssl          on;
        ssl_certificate /etc/ssl/cacert.pem;
        ssl_certificate_key /etc/ssl/privkey.pem;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

I can serve SSL content and I can proxy fine, thanks to a guide you wrote previously.

What I am wondering or want to accomplish is

  ssl_client_certificate "/etc/pki/nginx/ca.crt";		
  ssl_verify_client on;

Meaning no one can visit my https site, without installing .p12 cert on their browser, similar to VPN. Extra Security stuff.

ok, now I am following.

never tested that functionality myself form the admin side. Used it in the past as a user of someone else's system.

JaredBusch

@emad-r who owns the file?

ls -laZ /etc/pki/nginx/ca.crt

Emad R

@jaredbusch said in Nginx Certificate Authentication issue:

ls -laZ /etc/pki/nginx/ca.crt

-rw-r--r-- root root ?

JaredBusch

@emad-r said in Nginx Certificate Authentication issue:

@jaredbusch said in Nginx Certificate Authentication issue:

ls -laZ /etc/pki/nginx/ca.crt

-rw-r--r-- root root ?

i specified -laZ intentionally to show the SELinux context also.

I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
-rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
-rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert

Emad R

@jaredbusch said in Nginx Certificate Authentication issue:

@emad-r said in Nginx Certificate Authentication issue:

@jaredbusch said in Nginx Certificate Authentication issue:

ls -laZ /etc/pki/nginx/ca.crt

-rw-r--r-- root root ?

i specified -laZ intentionally to show the SELinux context also.

I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
-rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
-rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert

I see, I think my issue is related to openssl and CA setup, a missing step some where, was hoping for some easy setup guide so we can use this method instead of VPN, this would be a quicker and very secure way for special scenarios.

Cause I am testing this, Selinux is disabled. Once I succeed if I do I document then re-enable security features and test again.

JaredBusch

@emad-r said in Nginx Certificate Authentication issue:

@jaredbusch said in Nginx Certificate Authentication issue:

@emad-r said in Nginx Certificate Authentication issue:

@jaredbusch said in Nginx Certificate Authentication issue:

ls -laZ /etc/pki/nginx/ca.crt

-rw-r--r-- root root ?

i specified -laZ intentionally to show the SELinux context also.

I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
-rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
-rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert

I see, I think my issue is related to openssl and CA setup, a missing step some where, was hoping for some easy setup guide so we can use this method instead of VPN, this would be a quicker and very secure way for special scenarios.

Not sure what else you need. Point to the private key and the certificate.

Cause I am testing this, Selinux is disabled. Once I succeed if I do I document then re-enable security features and test again.

Always useful for eliminating a potential configuration problem.

Emad R

@jaredbusch said in Nginx Certificate Authentication issue:

@emad-r said in Nginx Certificate Authentication issue:

@jaredbusch said in Nginx Certificate Authentication issue:

ls -laZ /etc/pki/nginx/ca.crt

-rw-r--r-- root root ?

i specified -laZ intentionally to show the SELinux context also.

I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
-rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
-rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert

Thanks this pointed me in the right direction, a useful guide coming soon