sslnginxopenssl

400 Bad Request: The SSL certificate error

I get this error when I try to get page with client key and certificate using this command:

curl -v -s --key /home/dmitry/Downloads/client_cert/client.mysite.key --cert /home/dmitry/Downloads/client_cert/client.mysite.crt https://mysite.com/api/login/

Here's what I see in nginx logs:

2014/12/08 06:30:55 [crit] 13087#0: *404 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443

And here is part of my nginx.conf:

server {
    listen  443 ssl;

    ssl_certificate     /home/mysite/conf/dev/ssl/com.mysite.crt;
    ssl_certificate_key /home/mysite/conf/dev/ssl/com.mysite.key;
    ssl_client_certificate /home/mysite/conf/dev/ssl/com.mysite.crt;
    ssl_verify_client optional; 
    ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    server_name   mysite.com www.mysite.com;
    access_log    /home/mysite/logs/nginx_access.log;
    error_log     /home/mysite/logs/nginx_error.log;

    location /api/{
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;

        proxy_set_header SSL-client-serial $ssl_client_serial;
        proxy_set_header SSL-client-dn $ssl_client_s_dn;
        proxy_set_header SSL-client-verify $ssl_client_verify;

        if ($ssl_client_verify != SUCCESS) {
            return 403;
            break;
        }
    }
}

Here are the commands I've used to create client cert:

openssl req -out client.mysite.csr -new -newkey rsa:2048 -nodes -keyout client.mysite.key
openssl x509 -req -days 3650 -in client.mysite.csr -CA com.mysite.crt -CAkey com.mysite.key -set_serial 01 -out client.mysite.crt

What could be wrong here? Should I use some other certificate as CA for my client cert than server cert?

UPDATE:

When I do

openssl verify -CAfile com.mysite.crt client.mysite.crt

I get:

error 20 at 0 depth lookup:unable to get local issuer certificate
Solution

  • The certificate I used to sign another one was not CA so it simply could not be verified, so that's why I had this error from openssl verify command:

    error 20 at 0 depth lookup:unable to get local issuer certificate

    If you're not CA then obviously there's nothing you can do about it.