添加链接
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

I have configured Nginx as reverse proxy and each client calls are validated using the certificates. but when I browse in the client machine I get "400 Bad Request No required SSL certificate was sent"

I enabled error log and it says "client sent no required SSL certificate while reading client request headers, client: x.x.x.x, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "y.y.y.y", referrer: " https://y.y.y.y/ "

I am not able to make out what is the problem it is trying to say.

my Nginx config changes server {

    error_log "C:/Error/error.log" debug;
        listen       443 ssl; 
    server_name  localhost;
    #ssl_protocols           TLSv1 TLSv1.1;         
    ssl_certificate         "C:/Test/server.crt";
        ssl_certificate_key     "C:/Test/server.key";
    ssl_client_certificate  "C:/Test/ca.crt";       
    ssl_verify_client    on;
    #ssl_session_cache       off;
    #proxy_ssl_server_name on; 
    #proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #proxy_ssl_session_reuse off;
        location / {
                root   html;
                index  index.html index.htm;
                proxy_pass https://10.10.10.10/webservice;

Thanks, Vinod G

Your configuration tries to authenticate a client using it's certificate and it looks like the client is not sending it. ** ssl_client_certificate** is to indicate you want to validate client certificate against the trusted CAs you're pointing to. The server would then ask the client to send a certificate and must be failing when it doesn't receive it.

A pictorial guide of the process can be read here for a better understanding: https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html

To debug further:

  • Tools like wireshark can be used to examine if client is sending a cert https://www.linuxbabe.com/security/ssltls-handshake-process-explained-with-wireshark-screenshot

  • Use a tool like Postman to set the client certificate and check if the server responds as expected https://blog.getpostman.com/2017/12/05/set-and-view-ssl-certificates-with-postman/

  • common issues in this area and how to resolve them https://www.thesslstore.com/blog/tls-handshake-failed/

  • Thanks for contributing an answer to Stack Overflow!

    • Please be sure to answer the question. Provide details and share your research!

    But avoid

    • Asking for help, clarification, or responding to other answers.
    • Making statements based on opinion; back them up with references or personal experience.

    To learn more, see our tips on writing great answers.