Nginx无法获得证书CRL [英] Nginx unable to get certificate CRL

问题描述

我正在使用 nginx(1.1.9)通过客户端证书功能在https上提供debian软件包.

I'm using nginx(1.1.9) for serving debian packages on https by using client certificate feature.

listen 443 ssl;

 ...

 ssl_certificate     /etc/ssl/ca.chain.crt;
 ssl_certificate_key /etc/ssl/server.key;
 #ssl_crl             /etc/ssl/ca-crl.pem;
 ssl_client_certificate  /etc/ssl/ca.pem;
 ssl_verify_client   on; 
 ssl_verify_depth 2;   
 ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1;

 ...

 error_log /var/log/nginx/error.log debug;
 ...

我使用reprepro来配置apt仓库.我可以使用apt-get update对该仓库进行更新，而不会出现任何错误，但是当我注释掉ssl_crl以使用撤销列表时，日志显示:

I use reprepro to config an apt repo.I can use apt-get update to this repo without any error but when I comment out ssl_crl in order to use revocation list, Log display:

client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: xxx.xxx.xxx.xxx, server: apt.myrepo.com, request: "GET /ubuntu/dists/precise/non-free/i18n/Translation-en HTTP/1.1", host: "apt.myrepo.com"

我不确定nginx为什么可以找到我的证书吊销列表.

I'm not sure why nginx can find my certificate revocation list.

推荐答案

之所以会发生这种情况，是因为 nginx 需要为ssl_client_certificate证书链中提到的每个证书(包括根CA的CRL)都具有CRL.

This occurs because nginx needs to have CRLs for every certificate that's mentioned in ssl_client_certificate cert chain, including the root CA's CRL.

当我创建根CA和中间CA以便为Intranet站点生成证书时，我自己遇到了问题.当我将 nginx 配置为使用SSL客户端身份验证时，我仅使用了来自中间CA的CRL. nginx 需要查看链中每个证书(包括中间CA)的CRL，以确保根CA尚未撤消中间CA的证书.将根CRL连接到中间CRL可以解决此问题.

I hit this myself when I created root and intermediate CAs in order to generate certs for intranet sites. When I configured nginx to use SSL client authentication, I only used the CRL from our intermediate CA. nginx needs to see the CRL for every certificate in the chain, including the intermediate CA, to make sure that the intermediate CA's certificate hasn't been revoked by the root. Concatenating the root CRL onto the intermediate CRL fixed the issue.

• 默认的CRL有效期(default_crl_days)为30天，因此您需要制定一个系统来使所有内容保持最新状态.
• 感谢您发表这篇文章，该内容是我在Google投入大量精力后发现的，这表明我在链中缺少另一个证书.

• The default CRL expiration period (default_crl_days) is 30 days, so you'll need to work out a system for keeping everything up to date.
• Thank you to this post, which I found after much Google-fu, that suggested I was missing another cert in the chain.

这篇关于Nginx无法获得证书CRL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！