0

I am trying to send a search request from web server to another server through nginx proxy. I have server_hostname.pem file as server certificate and ca-chain.cert.pem file as client certificate. However, I do not see any search result from target server. When I do a curl command for that server:port, I see 400 Bad Request for SSL Certificate error. I assumed that this is definitely a certificate problem. Then I tried to see error log for nginx. And I found 26:Unsupported certificate purpose error. To verify the certificate for target server from web server, I tried this command: openssl s_client -connect target_server:port -CAfile web_server.pem

And, I see return code 21(Unable to verify the first certificate). Does anyone know how to troubleshoot this problem? Thanks a lot in advance. MY understanding on SSL/TLS is very basic. So, please let me know if someone needs more detail of this problem.

Improve this question
New contributor
Rashed is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
1
  • The error message is rather self explaining. So you might 1. draw a topology diagram to list all machines involved. 2. Learn every certificates involved and their purposes (Server or client certificate? Intermediate? Root Authority?). 3. Check every SSL connections between two machines and see if they are mutual or not. And if mutual, whether both sides have the right certificate.
    – Lex Li
    15 hours ago

1 Answer 1

Reset to default
0

There are three actual pieces to a certificate: the private key, the public certificate, and the certification authority (CA) chain. In this case, the server certificate is the private one, you should be publishing the public key to be the client key, and the chain should also be available both to the server and the client - there generally is a place for it in the config, it is usually called out as the CA or Authority certificate chain. The reason you're getting this error is that you're passing the CA chain in a place where it's expecting the Client certificate / public key, and the CA chain's purpose is not to identify the specific host, but to confirm the authority who identify the host.

Improve this answer
3
  • I have the same ca-chain.cert.pem file in both target server and web server. And I am using this ca-chain.cert.pem file as ssl_client_certificate in nginx proxy. In the Web Server's Keystore, both the server_certificate.pem and ca-chain.cert.pem files are present. What I should have done differently?
    – Rashed
    15 hours ago
  • Also, Thanks a lot for your detail explanation and respond. Really really appreciate it.
    – Rashed
    15 hours ago
  • Lex Li's comment seems to be pertinent here. The big thing is that I don't see your client certificate; the ca-chain-cert.pem would, from its name, be the CA chain, and I'm assuming the server-hostname.pem is the private key. Though it could be the client certificate based on the name - in which case it's the private key that is missing.
    – tsc_chazz
    15 hours ago

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .