Nginx Certificate Authentication issue



  • Hi,

    I recall scott made a video explaining VPN and comparing them with HTTPs with certificate based authentication.

    I researched and got this sources:
    https://gist.github.com/mtigas/952344

    I tried to implement it, using a test environment but failed.

    I reached a point where nginx web server would give me an error that I need to supply SSL cert, but even if I download it and installed one on my chrome browser it wont connect.

    400 Bad Request

    No required SSL certificate was sent
    nginx/1.10.2

    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;
    
    # Load dynamic modules. See /usr/share/nginx/README.dynamic.
    include /usr/share/nginx/modules/*.conf;
    
    events {
        worker_connections 1024;
    }
    
    http {
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 2048;
    
        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;
    
        # Load modular configuration files from the /etc/nginx/conf.d directory.
        # See http://nginx.org/en/docs/ngx_core_module.html#include
        # for more information.
        include /etc/nginx/conf.d/*.conf;
    
    # Settings for a TLS enabled server.
    
        server {
            listen       443 ssl http2 default_server;
            listen       [::]:443 ssl http2 default_server;
            server_name  _;
            root         /usr/share/nginx/html;
    
            ssl_certificate "/etc/pki/nginx/server.crt";
            ssl_certificate_key "/etc/pki/nginx/private/server.key";
            ssl_session_cache shared:SSL:1m;
            ssl_session_timeout  10m;
            ssl_ciphers HIGH:!aNULL:!MD5;
            ssl_prefer_server_ciphers on;
    		ssl_client_certificate "/etc/pki/nginx/ca.crt";
    		ssl_verify_client on;
            
    		# Load configuration files for the default server block.
            include /etc/nginx/default.d/*.conf;
    
            location / {
    		proxy_set_header https://192.168.1.12 $remote_addr; #change to your frontend nginx IP
    		proxy_set_header http://192.168.1.10 $proxy_add_x_forwarded_for; #change to your backend server IP
    		proxy_set_header Host $http_host;
    		proxy_set_header X-NginX-Proxy true;
    		proxy_pass http://192.168.1.10;	#change to your backend server IP
    		proxy_redirect off;
            }
    
            error_page 404 /404.html;
                location = /40x.html {
            }
    
            error_page 500 502 503 504 /50x.html;
                location = /50x.html {
            }
        }
    
    }

  • Service Provider

    What have you done do configure your site?

    I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.

    This is my nginx.conf that to my recollection has zero modifications.
    [[email protected] ~]$ cat /etc/nginx/nginx.conf

    # For more information on configuration, see:
    #   * Official English Documentation: http://nginx.org/en/docs/
    #   * Official Russian Documentation: http://nginx.org/ru/docs/
    
    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;
    
    events {
        worker_connections 1024;
    }
    
    http {
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 2048;
    
        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;
    
        # Load modular configuration files from the /etc/nginx/conf.d directory.
        # See http://nginx.org/en/docs/ngx_core_module.html#include
        # for more information.
        include /etc/nginx/conf.d/*.conf;
    
        server {
            listen       80 default_server;
            listen       [::]:80 default_server;
            server_name  _;
            root         /usr/share/nginx/html;
    
            # Load configuration files for the default server block.
            include /etc/nginx/default.d/*.conf;
    
            location / {
            }
    
            error_page 404 /404.html;
                location = /40x.html {
            }
    
            error_page 500 502 503 504 /50x.html;
                location = /50x.html {
            }
        }
        server {
            listen       443 default_server;
            listen       [::]:443 default_server;
            server_name  _;
            root         /usr/share/nginx/html;
            ssl          on;
            ssl_certificate /etc/ssl/cacert.pem;
            ssl_certificate_key /etc/ssl/privkey.pem;
            ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    
            # Load configuration files for the default server block.
            include /etc/nginx/default.d/*.conf;
    
            location / {
            }
    
            error_page 404 /404.html;
                location = /40x.html {
            }
    
            error_page 500 502 503 504 /50x.html;
                location = /50x.html {
            }
        }
    
    }
    

  • Service Provider

    Then for each site that I proxy, I have a specific *.conf file.

    [[email protected] ~]$ ls -l /etc/nginx/conf.d/
    total 68
    -rw-r--r--. 1 root root 1334 May 12 14:37 assets.domaina.com.conf
    -rw-r--r--. 1 root root  446 Nov 16  2015 domainc.com.conf
    -rw-r--r--. 1 root root 1306 May 12 14:25 community.domaina.com.conf
    -rw-r--r--. 1 root root 1289 May 12 22:56 crm.domaina.com.conf
    -rw-r--r--. 1 root root 1092 May 26 14:02 domainb.com.conf
    -rw-r--r--. 1 root root 1253 May 12 14:27 helpdesk.domaina.com.conf
    -rw-r--r--. 1 root root 1087 May 29 13:18 naggaroth.domainb.com.conf
    -rw-r--r--. 1 root root 1226 May 12 14:28 domaind.com.conf
    -rw-r--r--. 1 root root 1235 May 12 14:29 nc.domaina.com.conf
    -rw-r--r--. 1 root root 1362 May 12 14:29 nc.domainb.com.conf
    -rw-r--r--. 1 root root 1237 May 12 14:29 obelisk.domainb.com.conf
    -rw-r--r--. 1 root root 1066 May 12 14:29 oc.domainb.com.conf
    -rw-r--r--. 1 root root 1110 May 12 14:30 domaine.com.conf
    -rw-r--r--. 1 root root 1273 May 12 14:31 support.domaina.com.conf
    -rw-r--r--. 1 root root 1257 May 12 14:31 timereport.domaina.com.conf
    -rw-r--r--. 1 root root 1247 Aug  1 17:45 unifi.domaina.com.conf
    -rw-r--r--. 1 root root 1290 Aug  1 15:51 unms.domaina.com.conf
    

  • Service Provider

    And here is what goes in a conf file that handles SSL.

    [[email protected] ~]$ cat /etc/nginx/conf.d/community.domaina.com.conf
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name community.domaina.com;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/support.domaina.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/support.domaina.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://10.254.0.35:4567;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    server {
        client_max_body_size 40M;
        listen 80;
        server_name community.domaina.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    

  • Service Provider

    As you can see, I obtained my SSL from LetsEncrypt and this is forwarding to a NodeBB forum



  • @jaredbusch said in Nginx Certificate Authentication issue:

    What have you done do configure your site?

    I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.

    This is my nginx.conf that to my recollection has zero modifications.
    [[email protected] ~]$ cat /etc/nginx/nginx.conf

    # For more information on configuration, see:
    #   * Official English Documentation: http://nginx.org/en/docs/
    #   * Official Russian Documentation: http://nginx.org/ru/docs/
    
    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;
    
    events {
        worker_connections 1024;
    }
    
    http {
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 2048;
    
        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;
    
        # Load modular configuration files from the /etc/nginx/conf.d directory.
        # See http://nginx.org/en/docs/ngx_core_module.html#include
        # for more information.
        include /etc/nginx/conf.d/*.conf;
    
        server {
            listen       80 default_server;
            listen       [::]:80 default_server;
            server_name  _;
            root         /usr/share/nginx/html;
    
            # Load configuration files for the default server block.
            include /etc/nginx/default.d/*.conf;
    
            location / {
            }
    
            error_page 404 /404.html;
                location = /40x.html {
            }
    
            error_page 500 502 503 504 /50x.html;
                location = /50x.html {
            }
        }
        server {
            listen       443 default_server;
            listen       [::]:443 default_server;
            server_name  _;
            root         /usr/share/nginx/html;
            ssl          on;
            ssl_certificate /etc/ssl/cacert.pem;
            ssl_certificate_key /etc/ssl/privkey.pem;
            ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    
            # Load configuration files for the default server block.
            include /etc/nginx/default.d/*.conf;
    
            location / {
            }
    
            error_page 404 /404.html;
                location = /40x.html {
            }
    
            error_page 500 502 503 504 /50x.html;
                location = /50x.html {
            }
        }
    
    }
    

    I can serve SSL content and I can proxy fine, thanks to a guide you wrote previously.

    What I am wondering or want to accomplish is

    	ssl_client_certificate "/etc/pki/nginx/ca.crt";		
    	ssl_verify_client on;
    

    Meaning no one can visit my https site, without installing .p12 cert on their browser, similar to VPN. Extra Security stuff.


  • Service Provider

    @emad-r said in Nginx Certificate Authentication issue:

    @jaredbusch said in Nginx Certificate Authentication issue:

    What have you done do configure your site?

    I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.

    This is my nginx.conf that to my recollection has zero modifications.
    [[email protected] ~]$ cat /etc/nginx/nginx.conf

    # For more information on configuration, see:
    #   * Official English Documentation: http://nginx.org/en/docs/
    #   * Official Russian Documentation: http://nginx.org/ru/docs/
    
    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;
    
    events {
        worker_connections 1024;
    }
    
    http {
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 2048;
    
        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;
    
        # Load modular configuration files from the /etc/nginx/conf.d directory.
        # See http://nginx.org/en/docs/ngx_core_module.html#include
        # for more information.
        include /etc/nginx/conf.d/*.conf;
    
        server {
            listen       80 default_server;
            listen       [::]:80 default_server;
            server_name  _;
            root         /usr/share/nginx/html;
    
            # Load configuration files for the default server block.
            include /etc/nginx/default.d/*.conf;
    
            location / {
            }
    
            error_page 404 /404.html;
                location = /40x.html {
            }
    
            error_page 500 502 503 504 /50x.html;
                location = /50x.html {
            }
        }
        server {
            listen       443 default_server;
            listen       [::]:443 default_server;
            server_name  _;
            root         /usr/share/nginx/html;
            ssl          on;
            ssl_certificate /etc/ssl/cacert.pem;
            ssl_certificate_key /etc/ssl/privkey.pem;
            ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    
            # Load configuration files for the default server block.
            include /etc/nginx/default.d/*.conf;
    
            location / {
            }
    
            error_page 404 /404.html;
                location = /40x.html {
            }
    
            error_page 500 502 503 504 /50x.html;
                location = /50x.html {
            }
        }
    
    }
    

    I can serve SSL content and I can proxy fine, thanks to a guide you wrote previously.

    What I am wondering or want to accomplish is

    	ssl_client_certificate "/etc/pki/nginx/ca.crt";		
    	ssl_verify_client on;
    

    Meaning no one can visit my https site, without installing .p12 cert on their browser, similar to VPN. Extra Security stuff.

    ok, now I am following.

    never tested that functionality myself form the admin side. Used it in the past as a user of someone else's system.


  • Service Provider

    @emad-r who owns the file?

    ls -laZ /etc/pki/nginx/ca.crt
    


  • @jaredbusch said in Nginx Certificate Authentication issue:

    ls -laZ /etc/pki/nginx/ca.crt

    -rw-r--r-- root root ?


  • Service Provider

    @emad-r said in Nginx Certificate Authentication issue:

    @jaredbusch said in Nginx Certificate Authentication issue:

    ls -laZ /etc/pki/nginx/ca.crt

    -rw-r--r-- root root ?

    i specified -laZ intentionally to show the SELinux context also.

    I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

    drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
    drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    -rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
    -rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
    -rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert
    


  • @jaredbusch said in Nginx Certificate Authentication issue:

    @emad-r said in Nginx Certificate Authentication issue:

    @jaredbusch said in Nginx Certificate Authentication issue:

    ls -laZ /etc/pki/nginx/ca.crt

    -rw-r--r-- root root ?

    i specified -laZ intentionally to show the SELinux context also.

    I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

    drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
    drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    -rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
    -rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
    -rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert
    

    I see, I think my issue is related to openssl and CA setup, a missing step some where, was hoping for some easy setup guide so we can use this method instead of VPN, this would be a quicker and very secure way for special scenarios.

    Cause I am testing this, Selinux is disabled. Once I succeed if I do I document then re-enable security features and test again.


  • Service Provider

    @emad-r said in Nginx Certificate Authentication issue:

    @jaredbusch said in Nginx Certificate Authentication issue:

    @emad-r said in Nginx Certificate Authentication issue:

    @jaredbusch said in Nginx Certificate Authentication issue:

    ls -laZ /etc/pki/nginx/ca.crt

    -rw-r--r-- root root ?

    i specified -laZ intentionally to show the SELinux context also.

    I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

    drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
    drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    -rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
    -rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
    -rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert
    

    I see, I think my issue is related to openssl and CA setup, a missing step some where, was hoping for some easy setup guide so we can use this method instead of VPN, this would be a quicker and very secure way for special scenarios.

    Not sure what else you need. Point to the private key and the certificate.

    Cause I am testing this, Selinux is disabled. Once I succeed if I do I document then re-enable security features and test again.

    Always useful for eliminating a potential configuration problem.



  • @jaredbusch said in Nginx Certificate Authentication issue:

    @emad-r said in Nginx Certificate Authentication issue:

    @jaredbusch said in Nginx Certificate Authentication issue:

    ls -laZ /etc/pki/nginx/ca.crt

    -rw-r--r-- root root ?

    i specified -laZ intentionally to show the SELinux context also.

    I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

    drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
    drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    -rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
    -rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
    -rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert
    

    Thanks this pointed me in the right direction, a useful guide coming soon



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.