2

I'm currently struggling against a tenacious problem while setting up client certificate authentication for our mailservers via an NginX reverse proxy.

The setup seems to be working in most parts without the client certificates. But when I enable the checking of those and run a test with openssl s_client I allways get:

Verify return code: 2 (unable to get issuer certificate)

The relevant part of my nginx.conf is as follows:

ssl                     on;
ssl_certificate         /etc/ssl/certs/server_cert.pem;
ssl_certificate_key     /etc/ssl/private/server_key.pem;

ssl_client_certificate  /etc/ssl/certs/IntermediateCA_chain.crt;
ssl_crl                 /etc/ssl/crl.pem;
ssl_verify_client       on;

The file IntermediateCA_chain.crt is in PEM-format, and consists of both the IntermediateCA's certificate and afterwards our RootCA's cert.

Side-note: when I do openssl x509 -text -noout -in IntermediateCA_chain.crt only the IntermediateCA's cert is shown. I expected the chain to be displayed. Is that the correct behaviour?

I test the connection with the following command:

openssl s_client -connect server:995 -cert mycert.pem\
 -key mykeyfile.pem -debug -CAfile IntermediateCA_chain.pem

Resulting in

[...]
0b50 - b3 c3 3b 17 66 8e 52 b3-ad 7f 14                  ..;.f.R....
depth=1 DC = top, DC = ad, CN = Intermediate CA
verify error:num=2:unable to get issuer certificate
issuer= C = DE, O = My Company, CN = My Companies Root CA, emailAddress = [email protected]
read from 0x10f6a10 [0x10fe333] (5 bytes => 5 (0x5))
[...]

I tried every variation of IntermediateCA_chain.pem I could think of (IntermediateCA.pem, RootCA.pem, IntermediateCA_chein.pem) on both sides.

It seems as though the failure is on the client-side, because it changes slightly with the used -CAfile and the server's logs show nothing (literaly nothing - no connection attempt or anything else). It seems to me as if either the IntermediateCA_chain.pem on the server- or the client-side are not read correctly. The error seems to result in openssl not beeing able to verify the IntermediateCA, and the certificates issued by it. Can someone help me solve this riddle?

Marlon
  • 226
  • 1
  • 2
  • 6
  • 1
    everything looks fine. Maybe start by commenting out settings you don't need, to narrow down which settings are causing trouble. Please also check your `certificate revocation list`, I have reason to believe that the problem must lie somewhere in there. Good luck! – mofoe Jan 12 '17 at 19:36

1 Answers1

4

Problem solved.

I'll post the reasons and the solution for the slight possibility that it might help someone else:

The first error (verify error:num=2:unable to get issuer certificate) resulted from the form of the -CAfile used on the client side. It was in x509 PEM format and contained a chain of the IntermediateCA's certificate by the RootCA's cert. The problem was that it also contained each CA's CRL (Certificate Revocation List), after its respective certificate-block. Removing them solved this error.

Afterwards I only got a non-descriptive "SSL-error" which I diagnosed by turning of individual options in the nginx.conf (thanks @mofoe for the tip!). It turns out the ssl_crl inside the nginx.conf needs to contain not only the CRL of the IntermediateCA (in x509 PEM-format!), but also the Root-CA's CRL. Combining those two into one CRL-file solved the second error, and the server responded with the expected mailserver welcome-message.

Marlon
  • 226
  • 1
  • 2
  • 6