我正在运行一个nginx docker容器,一个自签名证书,并且正在通过命令行curl测试连接性。 只要不使用ssl_verify_client,我就能毫无问题地连接到服务器。但是使用它时,我会收到
400 No required SSL certificate was sent
有很多变量,我必须缺少一些东西,所以我将展示步骤。
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=ThisState
L=MyCity
O=MyOrganization
OU=MyOU
emailAddress=emailaddess@domain.com
CN=my-srv-01
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = my-srv-01
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt -extensions req_ext -config cert_config.txt
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -extensions req_ext -config cert_config.txt
openssl x509 -req -days 365 -sha256 -in client.csr -CA nginx-selfsigned.crt -CAkey nginx-selfsigned.key -set_serial 2 -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
server {
listen 443 ssl;
server_name my-srv-01;
root html;
ssl_certificate_key /etc/nginx/conf.d/nginx-selfsigned.key;
ssl_certificate /etc/nginx/conf.d/nginx-selfsigned.crt;
ssl_client_certificate /etc/nginx/conf.d/client.crt;
ssl_verify_client on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
curl -k -v -key /etc/nginx/conf.d/nginx-selfsigned.key -cacert /etc/nginx/conf.d/nginx-selfsigned.crt -cert /etc/nginx/conf.d/client.crt https://my-srv-01
产量(在html和连接参数之间):
400 No required SSL certificate was sent
但是,如果我删除ssl_verify_client选项,curl将显示正确的网页。
我显然缺少了一些东西,感谢您的帮助!