Thanks for the help. I tried to locate the file client.p12. it seems its not located in etc/ssl/certs? Im really sorry i just dont seem to get the drift. thanks for your patience.
-
Howto use ssl client certificates
-
It most probably is in /etc/ssl/
-
K, i found it. After copy paste the code into a crt file on windows and you try to install it i get this message:
file cannot be used for certificate
-
I now have the following.
when i enter my domain.nl it turns out no certificate.
when i enter mydomain.nl:8081 i just enter my pimatic. how can this be? did i miss something?
also i cant seem to get the certificate right.
-
In my HowTo I have described various checks to validate the workings of the different steps. Did you execute these checks and were they successful along the way?
Also I don’t own any Windows devices, so you have to do some Googling to make the certificate work
-
Actually I have same problem, just been busy to troubleshoot this.
In the end config should look like this? This gives error when trying to reload nginx service.
# Redirect to HTTPS location / { return 301 https://$host$request_uri; } location / { # Proxy requests to pimatic proxy_pass http://127.0.0.1:8080; }
Also, is it necessary to uncomment?
# add_header Strict-Transport-Security "max-age=31536000";
-
Everything else working for me to this point, nginx site needs certificate, after installing certificate lets me in to nginx page, but redirecting to pimatic doesn’t work.
-
This is my current config, is it ok?
# Default server configuration server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name somename.com; # Maintain the .well-known directory alias for Let's Encrypt renewals location /.well-known { alias /var/www/html/.well-known; } # Redirect to HTTPS location / { return 301 https://$host$request_uri; } location / { # Proxy requests to pimatic proxy_pass http://127.0.0.1:8080; } } # SSL configuration server { listen 443 ssl default_server; listen [::]:443 ssl default_server; # Let's Encrypt signed certificates ssl_certificate /etc/letsencrypt/live/somename.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/somename.com/privkey.pem; ssl_client_certificate /etc/ssl/certs/my_pimatic_CA.crt; ssl_verify_client on; # Turn on OCSP stapling as recommended at # https://community.letsencrypt.org/t/integration-guide/13123 # requires nginx version >= 1.3.7 ssl_stapling on; ssl_stapling_verify on; # Uncomment this line only after testing in browsers, # as it commits you to continuing to serve your site over HTTPS # in future add_header Strict-Transport-Security "max-age=31536000"; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name somename.com; }
-
"Add the following snippet to your HTTPS configuration in /etc/nginx/sites-enabled/default to be like
location / { # Proxy requests to pimatic proxy_pass http://127.0.0.1:8080; }
"
The HTTPS configuration is the part about port 443, you have added it to the HTTP configuration
This is what my config looks like:
# Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name pimatic.example.com; # Maintain the .well-known directory alias for Let's Encrypt renewals location /.well-known { alias /var/www/html/.well-known; } # Redirect to HTTPS location / { return 301 https://$host$request_uri; } } # HTTPS configuration server { listen 443 ssl default_server; listen [::]:443 ssl default_server; # Let's Encrypt signed certificates ssl_certificate /etc/letsencrypt/live/pimatic.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/pimatic.example.com/privkey.pem; ssl_client_certificate /etc/ssl/certs/pimatic_CA.crt; ssl_verify_client on; # Turn on OCSP stapling as recommended at # https://community.letsencrypt.org/t/integration-guide/13123 # requires nginx version >= 1.3.7 ssl_stapling on; ssl_stapling_verify on; # Uncomment this line only after testing in browsers, # as it commits you to continuing to serve your site over HTTPS # in future # add_header Strict-Transport-Security "max-age=31536000"; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name pimatic.example.com; location / { # Proxy request to pimatic proxy_pass http://127.0.0.1:8080; } }
-
Thank You again, all working now
-
@rrooggiieerr Thanks a lot for your effort and your HowTo
I tried to use your way and have some problems near the end… I have the client.p12 copied to my windows firefox and my android and installed it. But on both systems I see a “400 Bad Request - The SSL certificate error” when entering the site. Maybe it’s not correctly installed, I don’t know. Maybe you can give me a hint what to search for.Regards,
Anduril -
Did you use the CA certificate to sign your key, or the server certificate? And did you configure the CA certificate properly in the nginx config?
-
Well I think I used the CA to sign the client certificate, but I simply copied your lines of code from the first post. I will also add the nginx config when I’m back at home…
here my nginx config:
# Default server configuration server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name anduril.selfhost.bz; # Maintain the .well-known directory alias for Let's Encrypt renewals location /.well-known { alias /var/www/html/.well-known; } # Redirect to HTTPS location / { return 301 https://$host$request_uri; } } # HTTPS configuration server { listen 443 ssl default_server; listen [::]:443 ssl default_server; # Let's Encrypt signed certificates ssl_certificate /etc/letsencrypt/live/anduril.selfhost.bz/fullchain$ ssl_certificate_key /etc/letsencrypt/live/anduril.selfhost.bz/privkey.p$ ssl_client_certificate /etc/ssl/certs/my_pimatic_CA.crt; ssl_verify_client on; # Turn on OCSP stapling as recommended at # https://community.letsencrypt.org/t/integration-guide/13123 # requires nginx version >= 1.3.7 ssl_stapling on; ssl_stapling_verify on; # Uncomment this line only after testing in browsers, # as it commits you to continuing to serve your site over HTTPS # in future # add_header Strict-Transport-Security "max-age=31536000"; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name anduril.selfhost.bz; }
-
Are those $ really in the config file?
ssl_certificate /etc/letsencrypt/live/anduril.selfhost.bz/fullchain$ ssl_certificate_key /etc/letsencrypt/live/anduril.selfhost.bz/privkey.p$
-
nope, that’s only the way of my editor (nano) to tell that the line is longer than the ssh console. Do you see any problems in this config? If not it has to be a problem with the certs. Is it safe to delete them and start all over?
-
Sure, you can delete them, or maybe better, rename them, and start over
-
well I started all over with a fresh raspbian and it still does not work. Is there a log file anywhere that might say what I am doing wrong? Https is working but as soon as I add client certs things go wrong. When connecting without choosing a client cert it says
400 Bad Request No required SSL certificate was sent
which seems ok. After choosing the vert all I get is400 Bad Request The SSL certificate error nginx/1.10.3
Don’t know what to try next…BTW all this tested with FF 55.0.3 and client.p12 imported to system storage (double click in file browser) and FF cert storage (about:preferences#advanced --> certificates)
-
According to Google the error refers to a SSL certificate error. Maybe you can use some openssl commands to verify the certificates? Otherwise I don’t know
-
Hi @rrooggiieerr ,
thank you for the nice tutorial. I have tried to follow your instructions, but in the last step of self signed certificates there must be an error which I can’t solve. Perhaps you or somebody else can help me or give me some hints.
@rrooggiieerr said in Howto use ssl client certificates:
After this step you should be able to see the “Welcome to nginx on Debian!” screen when you browse to your pimatic domain and HTTP is redirected to HTTPS.
Create self signed Certificate Authority
Up to the validation step of “Welcome to Nginx on Debian” everything works fine. This page is reachable from
- outside over internet by my ddns.net address and also
- local network by the IP-Address of my raspberry (without adding port number).
Problems are coming up after the step create a self signed certificate. I have done this step several times within 3 days but without any success. In addition of the last lines
location / { # Proxy requests to pimatic proxy_pass http://127.0.0.1:8080; }
also my pimatic frontent is available by internet and on local network.
==> So my impression is that the generation procedure of the certificates (Certificate Authority and Client Certificate) is somehow faulty. Not in general, but by my faults or for my system set-up.
what I have tried by now
- password without special charaters
- filling out every field within the certification procedure
- delted files (certs/my_pimatic_CA.crt, certs/client.crt, client.p12) and started from beginning
what i have recognized
- the folder
/etc/ssl/private
is empty ==> is that possible? I do net see any *.key files - the file
/etc/ssl/certs/my_pimatic_CA.crt
exists - the files
client.csr
,client.p12
andopenssl.cnf
exists
-
/etc/ssl/private
should not be empty,my_pimatic_CA.key
should be in there. Did you su to root and cd to /etc/ssl/?sudo su - cd /etc/ssl/ openssl genrsa -des3 -out private/my_pimatic_CA.key 4096 openssl req -new -x509 -days 3650 -key private/my_pimatic_CA.key -out certs/my_pimatic_CA.crt