Привет, товарищи
Прочитал не одну тему на данную ошибку, но могу понять таки, почему у меня такая ошибка.
*********************************************************************
Окружение:
nginx version: nginx/1.6.0
built by gcc 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC)
TLS SNI support enabled
+ Centos 7
*********************************************************************
как я создавал серты
#Создаём новый корневой СА для наших нужд
1.
openssl req -new -newkey rsa:1024 -nodes -keyout ca.key -x509 -days 500 -subj /C=RU/ST=RO/L=Rostov-on-Don/O=IT/OU=admin/CN=rootCA/emailAddress=xxx@xxx.com -out ca.crt
#Создаём ключ для сервера
1.
openssl genrsa -des3 -out server.key 1024
#И запрос для него
1.
openssl req -new -key server.key -out server.csr
#И тут же подпишим его нашей подписью
1.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
#Создаём ключ для нового клиента и файл запроса сертификата
1.
openssl req -new -newkey rsa:1024 -nodes -keyout ivan.key -subj /C=RU/ST=Rostov/L=Rostov-on-Don/O=SomeFirm/OU=Ivan/CN=IvansCert/emailAddress=xxx@xxx.ru -out ivan.csr
#создаём сертификат клиента использую созданный запрос на создание сертификата и файл конфигураций
1.
openssl ca -config ca.config -in ivan.csr -out ivan.crt -batch
#создаём сертификат клиента для браузера, используя его ключ и сертификат
1.
openssl pkcs12 -export -in ivan.crt -inkey ivan.key -certfile ../cert.pem -out ivan.p12 -passout pass:qwerty
****************************************************************
Конфиги
ca.conf
**********
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
[root@localhost db]# cat ca.config
[ ca ]
default_ca = CA_CLIENT # use ca_client section as default while sign CSR
[ CA_CLIENT ]
dir = ./ # main direcory
certs = $dir/certs # certificate directory
new_certs_dir = $dir/newcerts # new certificates directory
database = $dir/index.txt # database file that contains signed certificates
serial = $dir/serial # file that contains serial numbers of certificates in hex
certificate = ../ca.crt # CA certificate file
private_key = ../ca.key # CA key file
default_days = 365 # lifetime of signed certificate
default_crl_days = 7 # lifetime of CRL
default_md = md5 # sign method
policy = policy_anything # section to use to describe policies
[ policy_anything ]
countryName = optional # change to 'supplied' if something is important.
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
ssl.conf
**********
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
#ssl_stapling on;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.1;
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.nopass.key;
add_header Strict-Transport-Security 'max-age=604800';
ssl_verify_client on;
#ssl_verify_depth 3;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
keepalive_timeout 70;
fastcgi_param SSL_VERIFIED $ssl_client_verify;
fastcgi_param SSL_CLIENT_SERIAL $ssl_client_serial;
fastcgi_param SSL_CLIENT_CERT $ssl_client_cert;
fastcgi_param SSL_DN $ssl_client_s_dn;
*********
nginx.conf
*************
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
# Redirect HTTP to HTTPS:
server {
listen 80;
server_name 192.168.100.38;
return 301 https://$server_name$request_uri;
}
# HTTPS server:
server {
listen 192.168.100.38:443 ssl;
server_name 192.168.100.38;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
include /etc/nginx/ssl/ssl.conf;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}
*******************************************************************************************
в итоге инсталлю в яндексовский браузер
ivan.p12
ivan.crt
server.crt
ca.crt
и на выходе - 400 Bad Request.No required SSL certificate was sent
*********************************************
а в error log -
1.
2.
3.
2014/08/05 13:52:47 [info] 35336#0: *158 peer closed connection in SSL handshake while SSL handshaking, client: 192.168.100.15, server: 192.168.100.38:443
2014/08/05 13:52:47 [info] 35336#0: *159 client closed connection while waiting for request, client: 192.168.100.15, server: 192.168.100.38:443
2014/08/05 13:52:47 [info] 35336#0: *160 client sent no required SSL certificate while reading client request headers, client: 192.168.100.15, server: 192.168.100.38, request: "GET /favicon.ico HTTP/1.1", host: "192.168.100.38"
********************************************
Понимаю насколько банальна эта тема, но.... глаза что ли замылились?...
