Are those $ really in the config file?
ssl_certificate /etc/letsencrypt/live/anduril.selfhost.bz/fullchain$
ssl_certificate_key /etc/letsencrypt/live/anduril.selfhost.bz/privkey.p$
Howto use ssl client certificates
Are those $ really in the config file?
ssl_certificate /etc/letsencrypt/live/anduril.selfhost.bz/fullchain$
ssl_certificate_key /etc/letsencrypt/live/anduril.selfhost.bz/privkey.p$
nope, that’s only the way of my editor (nano) to tell that the line is longer than the ssh console. Do you see any problems in this config? If not it has to be a problem with the certs. Is it safe to delete them and start all over?
Sure, you can delete them, or maybe better, rename them, and start over
well I started all over with a fresh raspbian and it still does not work. Is there a log file anywhere that might say what I am doing wrong? Https is working but as soon as I add client certs things go wrong. When connecting without choosing a client cert it says 400 Bad Request No required SSL certificate was sent
which seems ok. After choosing the vert all I get is 400 Bad Request The SSL certificate error nginx/1.10.3
Don’t know what to try next…
BTW all this tested with FF 55.0.3 and client.p12 imported to system storage (double click in file browser) and FF cert storage (about:preferences#advanced --> certificates)
According to Google the error refers to a SSL certificate error. Maybe you can use some openssl commands to verify the certificates? Otherwise I don’t know
Hi @rrooggiieerr ,
thank you for the nice tutorial. I have tried to follow your instructions, but in the last step of self signed certificates there must be an error which I can’t solve. Perhaps you or somebody else can help me or give me some hints.
@rrooggiieerr said in Howto use ssl client certificates:
After this step you should be able to see the “Welcome to nginx on Debian!” screen when you browse to your pimatic domain and HTTP is redirected to HTTPS.
Create self signed Certificate Authority
Up to the validation step of “Welcome to Nginx on Debian” everything works fine. This page is reachable from
Problems are coming up after the step create a self signed certificate. I have done this step several times within 3 days but without any success. In addition of the last lines
location / {
# Proxy requests to pimatic
proxy_pass http://127.0.0.1:8080;
}
also my pimatic frontent is available by internet and on local network.
==> So my impression is that the generation procedure of the certificates (Certificate Authority and Client Certificate) is somehow faulty. Not in general, but by my faults or for my system set-up.
what I have tried by now
what i have recognized
/etc/ssl/private
is empty ==> is that possible? I do net see any *.key files/etc/ssl/certs/my_pimatic_CA.crt
existsclient.csr
, client.p12
and openssl.cnf
exists/etc/ssl/private
should not be empty, my_pimatic_CA.key
should be in there. Did you su to root and cd to /etc/ssl/?
sudo su -
cd /etc/ssl/
openssl genrsa -des3 -out private/my_pimatic_CA.key 4096
openssl req -new -x509 -days 3650 -key private/my_pimatic_CA.key -out certs/my_pimatic_CA.crt
@rrooggiieerr thanks for this info. I already have expected that this folder shouldn’t be empty. I will try it again on Sunday and and post the results of your code lines, but I’m very sure that I have used the sudo line and the correct directory.
@rrooggiieerr i tried it again and realised that the folder is not empty. I just cant see the files by the gui in the folder because of missing rights. But with ls
i can see the files… So this is my output. But it is not working for me. Can you recognise some mistakes?
pi@raspberrypi:~ $ sudo su -
root@raspberrypi:~# cd /etc/ssl/
root@raspberrypi:/etc/ssl# openssl genrsa -des3 -out private/my_pimatic_CA.key 4096
Generating RSA private key, 4096 bit long modulus
............................................................++
.............................................................++
e is 65537 (0x10001)
Enter pass phrase for private/my_pimatic_CA.key:
Verifying - Enter pass phrase for private/my_pimatic_CA.key:
root@raspberrypi:/etc/ssl# cd ./private/
root@raspberrypi:/etc/ssl/private# ls
client.key my_pimatic_CA.key
root@raspberrypi:/etc/ssl/private# cd /etc/ssl/
root@raspberrypi:/etc/ssl# openssl req -new -x509 -days 3650 -key private/my_pimatic_CA.key -out certs/my_pimatic_CA.crt
Enter pass phrase for private/my_pimatic_CA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:XXXXXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXXX
Organizational Unit Name (eg, section) []:Pimatic
Common Name (e.g. server FQDN or YOUR name) []:XXXXXX.ddns.net
Email Address []:.
root@raspberrypi:/etc/ssl# openssl genrsa -des3 -out private/client.key 4096
Generating RSA private key, 4096 bit long modulus
.......................++
...........++
e is 65537 (0x10001)
Enter pass phrase for private/client.key:
Verifying - Enter pass phrase for private/client.key:
root@raspberrypi:/etc/ssl# openssl req -new -key private/client.key -out client.csr
Enter pass phrase for private/client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:XXXXXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXXX
Organizational Unit Name (eg, section) []:Pimatic
Common Name (e.g. server FQDN or YOUR name) []:XXXXXX.ddns.net
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@raspberrypi:/etc/ssl# ls
certs client.csr openssl.cnf private
root@raspberrypi:/etc/ssl# openssl x509 -req -days 3650 -in client.csr -CA certs/my_pimatic_CA.crt -CAkey private/my_pimatic_CA.key -set_serial 01 -out certs/client.crt
Signature ok
subject=/C=DE/L=XXXXXX/O=XXXXXX/OU=Pimatic/CN=XXXXXX.ddns.net
Getting CA Private Key
Enter pass phrase for private/my_pimatic_CA.key:
root@raspberrypi:/etc/ssl# openssl pkcs12 -export -clcerts -in certs/client.crt -inkey private/client.key -out client.p12
Enter pass phrase for private/client.key:
Enter Export Password:
Verifying - Enter Export Password:
root@raspberrypi:/etc/ssl# ls
certs client.csr client.p12 openssl.cnf private
root@raspberrypi:/etc/ssl# exit
Abgemeldet
missing right to open private folder
pi@raspberrypi:~ $ cd /etc/ssl/private/
bash: cd: /etc/ssl/private/: Keine Berechtigung
And just one last info. I changed the file /etc/nginx/sites-available/default
because the default file in sites-enabled is a linked file of the one in sites-available. Is that okay?
After a long time I have tried to setup nginx reverse proxy again and finally I have managed to get it running.
The main problem for me has been solved by using another export command for the client certificate.
openssl pkcs12 -export -in certs/client.crt -inkey private/client.key -certfile certs/my_pimatic_CA.crt -out client.p12
So @rrooggiieerr can you perhaps update your HowTo with the following hints which I have recognized while setting up the nginx server? Maybe these Infos can also be helpfull.
Run Let’s Encrypt
Generate the Let’s Encrypt certificate
sudo certbot-auto certonly --webroot -w /var/www/html/ -d pimatic.example.com
==> Common Name has to be “pimatic.example.com”
Create self signed Certificate Authority
==> Common Name can be a normal name like “pimatic” for example.
Create a client certificate
==> Common Name can be a normal name like “pimatic-client” for example.
Create a client certificate
==> Export Passwort might be a good idea if you want to transfer the certificate via email.
New Topic Solve Problems
sudo su -
cd /etc/ssl/
openssl pkcs12 -export -in certs/client.crt -inkey private/client.key -certfile certs/my_pimatic_CA.crt -out client.p12
exit
sudo chmod 777 /etc/ssl/client.p12
sudo su -
cd /etc/ssl/
openssl x509 -in certs/my_pimatic-CA.crt -noout -text
exit