Hi
We have a client certificate in pem format and it is having below content
and all these certificates are present in a single file.
serverCertificate -> intermediate CA -> rootCA
Now in the nginx.conf have below directives set:
`
server {
...
ssl_client_certificate ca-pg-ca.pem;
* ssl_verify_client optional_no_ca; *
ssl_verify_depth 4;
location ~* "^/" {
...
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
* proxy_set_header ssl-client-cert $ssl_client_escaped_cert; *
proxy_set_header ssl-client-verify $ssl_client_verify;
proxy_set_header ssl-client-subject-dn $ssl_client_s_dn;
proxy_set_header ssl-client-issuer-dn $ssl_client_i_dn;
}
}`
Now in the nginx logs we see below traces:
`
{"message":"83#83: *874 http script var: '10.15.176.110:10443'"}
{"message":"83#83: *874 http script copy: 'ssl-client-cert'"}
{"message":"83#83: *874 http script var:
'-----BEGIN%20CERTIFICATE-----<ONLY_CLIENT_CERTIFICATE_IS_PRESENT_WITHOUT_INTERMEDIATE>-----END%20CERTIFICATE-----%0A'"}}
{"message":"83#83: *874 http script copy: 'ssl-client-verify'"}}
{"message":"83#83: *874 http script var: 'SUCCESS'"}}
{"message":"83#83: *874 http script copy: 'ssl-client-subject-dn'"}}
{"message":"83#83: *874 http script var:
'CN=clientcert.com,O=ABCD,L=Ba,ST=Ka,C=US'"}}
{"message":"83#83: *874 http script copy: 'ssl-client-issuer-dn'"}}
{"message":"83#83: *874 http script var:
'CN=intermediateca.com,O=Nk,ST=Ka,C=US'"}}
`
So based on above only the client certificate is sent to the upstream
server but our expectation was that the complete pem contents including all
the 3 certs (client, intermediate and root) will be sent to the backend.
Is our expectation correct or wrong ?
Any change has to be done to handle this ?
Nginx version used: 1.22.1
*Thanks & Regards,*
*Vishwas *
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
