Howto use ssl client certificates

---

@rrooggiieerr Thanks a lot for your effort and your HowTo
I tried to use your way and have some problems near the end… I have the client.p12 copied to my windows firefox and my android and installed it. But on both systems I see a “400 Bad Request - The SSL certificate error” when entering the site. Maybe it’s not correctly installed, I don’t know. Maybe you can give me a hint what to search for.

Regards,
Anduril

Did you use the CA certificate to sign your key, or the server certificate? And did you configure the CA certificate properly in the nginx config?

Well I think I used the CA to sign the client certificate, but I simply copied your lines of code from the first post. I will also add the nginx config when I’m back at home…

here my nginx config:

# Default server configuration
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        server_name anduril.selfhost.bz;

        # Maintain the .well-known directory alias for Let's Encrypt renewals
        location /.well-known {
                alias /var/www/html/.well-known;
        }

        # Redirect to HTTPS
        location / {
                return 301 https://$host$request_uri;
        }
}

# HTTPS configuration
server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        # Let's Encrypt signed certificates
        ssl_certificate     /etc/letsencrypt/live/anduril.selfhost.bz/fullchain$
        ssl_certificate_key /etc/letsencrypt/live/anduril.selfhost.bz/privkey.p$
        ssl_client_certificate /etc/ssl/certs/my_pimatic_CA.crt;
        ssl_verify_client on;

        # Turn on OCSP stapling as recommended at
        # https://community.letsencrypt.org/t/integration-guide/13123
        # requires nginx version >= 1.3.7
        ssl_stapling on;
        ssl_stapling_verify on;

        # Uncomment this line only after testing in browsers,
        # as it commits you to continuing to serve your site over HTTPS
        # in future
        # add_header Strict-Transport-Security "max-age=31536000";

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name anduril.selfhost.bz;
}

Are those $ really in the config file?

        ssl_certificate     /etc/letsencrypt/live/anduril.selfhost.bz/fullchain$
        ssl_certificate_key /etc/letsencrypt/live/anduril.selfhost.bz/privkey.p$

nope, that’s only the way of my editor (nano) to tell that the line is longer than the ssh console. Do you see any problems in this config? If not it has to be a problem with the certs. Is it safe to delete them and start all over?

Sure, you can delete them, or maybe better, rename them, and start over

well I started all over with a fresh raspbian and it still does not work. Is there a log file anywhere that might say what I am doing wrong? Https is working but as soon as I add client certs things go wrong. When connecting without choosing a client cert it says 400 Bad Request No required SSL certificate was sentwhich seems ok. After choosing the vert all I get is 400 Bad Request The SSL certificate error nginx/1.10.3
Don’t know what to try next…

BTW all this tested with FF 55.0.3 and client.p12 imported to system storage (double click in file browser) and FF cert storage (about:preferences#advanced --> certificates)

According to Google the error refers to a SSL certificate error. Maybe you can use some openssl commands to verify the certificates? Otherwise I don’t know

Hi @rrooggiieerr ,

thank you for the nice tutorial. I have tried to follow your instructions, but in the last step of self signed certificates there must be an error which I can’t solve. Perhaps you or somebody else can help me or give me some hints.

@rrooggiieerr said in Howto use ssl client certificates:

After this step you should be able to see the “Welcome to nginx on Debian!” screen when you browse to your pimatic domain and HTTP is redirected to HTTPS.

Create self signed Certificate Authority

Up to the validation step of “Welcome to Nginx on Debian” everything works fine. This page is reachable from

• outside over internet by my ddns.net address and also
• local network by the IP-Address of my raspberry (without adding port number).

Problems are coming up after the step create a self signed certificate. I have done this step several times within 3 days but without any success. In addition of the last lines

location / {
                # Proxy requests to pimatic
                proxy_pass http://127.0.0.1:8080;
        } 

also my pimatic frontent is available by internet and on local network.

==> So my impression is that the generation procedure of the certificates (Certificate Authority and Client Certificate) is somehow faulty. Not in general, but by my faults or for my system set-up.

what I have tried by now

• password without special charaters
• filling out every field within the certification procedure
• delted files (certs/my_pimatic_CA.crt, certs/client.crt, client.p12) and started from beginning

what i have recognized

• the folder /etc/ssl/private is empty ==> is that possible? I do net see any *.key files
• the file /etc/ssl/certs/my_pimatic_CA.crt exists
• the files client.csr, client.p12 and openssl.cnf exists

/etc/ssl/private should not be empty, my_pimatic_CA.key should be in there. Did you su to root and cd to /etc/ssl/?

sudo su -
cd /etc/ssl/
openssl genrsa -des3 -out private/my_pimatic_CA.key 4096
openssl req -new -x509 -days 3650 -key private/my_pimatic_CA.key -out certs/my_pimatic_CA.crt

@rrooggiieerr thanks for this info. I already have expected that this folder shouldn’t be empty. I will try it again on Sunday and and post the results of your code lines, but I’m very sure that I have used the sudo line and the correct directory.

@rrooggiieerr i tried it again and realised that the folder is not empty. I just cant see the files by the gui in the folder because of missing rights. But with ls i can see the files… So this is my output. But it is not working for me. Can you recognise some mistakes?

pi@raspberrypi:~ $ sudo su -
root@raspberrypi:~# cd /etc/ssl/
root@raspberrypi:/etc/ssl# openssl genrsa -des3 -out private/my_pimatic_CA.key 4096
Generating RSA private key, 4096 bit long modulus
............................................................++
.............................................................++
e is 65537 (0x10001)
Enter pass phrase for private/my_pimatic_CA.key:
Verifying - Enter pass phrase for private/my_pimatic_CA.key:
root@raspberrypi:/etc/ssl# cd ./private/
root@raspberrypi:/etc/ssl/private# ls
client.key  my_pimatic_CA.key
root@raspberrypi:/etc/ssl/private# cd /etc/ssl/
root@raspberrypi:/etc/ssl# openssl req -new -x509 -days 3650 -key private/my_pimatic_CA.key -out certs/my_pimatic_CA.crt
Enter pass phrase for private/my_pimatic_CA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:XXXXXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXXX
Organizational Unit Name (eg, section) []:Pimatic
Common Name (e.g. server FQDN or YOUR name) []:XXXXXX.ddns.net
Email Address []:.
root@raspberrypi:/etc/ssl# openssl genrsa -des3 -out private/client.key 4096
Generating RSA private key, 4096 bit long modulus
.......................++
...........++
e is 65537 (0x10001)
Enter pass phrase for private/client.key:
Verifying - Enter pass phrase for private/client.key:
root@raspberrypi:/etc/ssl# openssl req -new -key private/client.key -out client.csr
Enter pass phrase for private/client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:XXXXXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXXX
Organizational Unit Name (eg, section) []:Pimatic
Common Name (e.g. server FQDN or YOUR name) []:XXXXXX.ddns.net
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@raspberrypi:/etc/ssl# ls
certs  client.csr  openssl.cnf	private
root@raspberrypi:/etc/ssl# openssl x509 -req -days 3650 -in client.csr -CA certs/my_pimatic_CA.crt -CAkey private/my_pimatic_CA.key -set_serial 01 -out certs/client.crt
Signature ok
subject=/C=DE/L=XXXXXX/O=XXXXXX/OU=Pimatic/CN=XXXXXX.ddns.net
Getting CA Private Key
Enter pass phrase for private/my_pimatic_CA.key:
root@raspberrypi:/etc/ssl# openssl pkcs12 -export -clcerts -in certs/client.crt -inkey private/client.key -out client.p12
Enter pass phrase for private/client.key:
Enter Export Password:
Verifying - Enter Export Password:
root@raspberrypi:/etc/ssl# ls
certs  client.csr  client.p12  openssl.cnf  private
root@raspberrypi:/etc/ssl# exit
Abgemeldet

missing right to open private folder

pi@raspberrypi:~ $ cd /etc/ssl/private/
bash: cd: /etc/ssl/private/: Keine Berechtigung

And just one last info. I changed the file /etc/nginx/sites-available/default because the default file in sites-enabled is a linked file of the one in sites-available. Is that okay?

After a long time I have tried to setup nginx reverse proxy again and finally I have managed to get it running.
The main problem for me has been solved by using another export command for the client certificate.

openssl pkcs12 -export -in certs/client.crt -inkey private/client.key -certfile certs/my_pimatic_CA.crt -out client.p12

So @rrooggiieerr can you perhaps update your HowTo with the following hints which I have recognized while setting up the nginx server? Maybe these Infos can also be helpfull.

1. Run Let’s Encrypt
   Generate the Let’s Encrypt certificate
   sudo certbot-auto certonly --webroot -w /var/www/html/ -d pimatic.example.com
   ==> Common Name has to be “pimatic.example.com”

2. Create self signed Certificate Authority
   ==> Common Name can be a normal name like “pimatic” for example.

3. Create a client certificate
   ==> Common Name can be a normal name like “pimatic-client” for example.

4. Create a client certificate
   ==> Export Passwort might be a good idea if you want to transfer the certificate via email.

5. New Topic Solve Problems

• If you can’t get access and nginx server is responding with a 400 Error even tough you have installed the client certificate try to use the following code snippet to export the client certificate.

sudo su -
cd /etc/ssl/
openssl pkcs12 -export -in certs/client.crt -inkey private/client.key -certfile certs/my_pimatic_CA.crt -out client.p12
exit

• If you can’t get access to the exportet client certificate then you can try to update user rights with the following code.

sudo chmod 777  /etc/ssl/client.p12

• If you want to get the infos of your created certificate. Then you can check the following code.

sudo su -
cd /etc/ssl/
openssl x509 -in certs/my_pimatic-CA.crt -noout -text
exit