Do you have the certificate that has that value as the Subject? What
is that certificate's Issuer? And repeat until you get to the root
certificate.
And which of the ssl*certificate files named in your config holds those
certificates?
i verified all my certs/chains. all good.
with my orig conf, it appears i can't manage to grab/verify ssl client FP's for
other-than-primary domains
this fails to work, errors as reported above,
server {
...
servername example.com;
ssl_verify_client optional;
ssl_verify_depth 2;
ssl_client_certificate
"/www/ssl/self-signed/myCA.CHAIN.crt.pem";
ssl_trusted_certificate
"/www/ssl/le/deploy/example.com/intermediate_ca.ec.crt.pem";
ssl_certificate
"/www/ssl/le/deploy/example.com/fullchain.ec.crt.pem";
ssl_certificate_key
"/www/ssl/le/deploy/example.com/priv.ec.key";
location /test {
if ($ssl_client_verify != SUCCESS) { return 403; }
if ($test_ssl_fp_reject) {return 403; }
...
}
OTOH simply splitting the secure subdir out into a separate server{}/subdomain,
with separate, self-signed cert
server {
...
servername example.com;
ssl_verify_client off;
ssl_trusted_certificate
"/www/ssl/le/deploy/example.com/intermediate_ca.ec.crt.pem";
ssl_certificate
"/www/ssl/le/deploy/example.com/fullchain.ec.crt.pem";
ssl_certificate_key
"/www/ssl/le/deploy/example.com/priv.ec.key";
}
server {
servername test.example.com;
ssl_verify_client on;
ssl_client_certificate "/www/ssl/self-signed/myCA.CHAIN.crt.pem";
ssl_verify_depth 2;
ssl_certificate
"/www/ssl/self-signed/test.example.com.server.ec.crt.pem";
ssl_certificate_key
"/www/ssl/self-signed/test.example.com.ec.key.pem";
location / {
if ($ssl_client_verify != SUCCESS) { return 403; }
if ($test_ssl_fp_reject) {return 403; }
...
}
...
}
achieves the intended result -- just not in the same server{} block
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
