2

I have a strange question, and I don't even know how to phrase it, but I try my best

I use laravel forge to manage my SSL with LetsEncrypt.

It generates the files:

server.crt  
server.key

How to get .pem file from .key and .crt files? based on that link, I understood the server.crt is the same as the .pem the poster was asking about.

So, to generate the ca.pem I did the following:

cat /etc/ssl/certs/DST_Root_CA_X3.pem server.crt > ca.pem

then in my nginx.conf I have these lines:

ssl_client_certificate /etc/nginx/ssl/domain/ca.pem;
ssl_verify_client on;

My main goal is to use it with mqtt, and following 2 guides, I reached this setup, but sending the ca.pem with my mqtt command, I get:

*77 client sent no required SSL certificate while SSL handshaking, client: 11.112.7.84, server: 11.166.22.84:8883
TDawg
  • 833
  • 2
  • 8
  • 24
  • Just to be clear here, you want to do SSL Client authentication and use NGIX to handle all the SSL termination and client authentication? – hardillb Apr 23 '21 at 13:10
  • yes. I am asuming that the format is wrong in my pem file, but otherwise I am lost – TDawg Apr 23 '21 at 13:14

1 Answers1

2

This won't work.

You need to use your own CA to issue client certificates, you can't use LetsEncrypt's CA and Server certificate to issue/verify the client certificates (they should have the flags set to make this impossible).

ssl_client_certificate needs to point to the certificate chain used to issue the client certificates that the client presents to identify it's self.

The certificate used to verify broker doesn't need to be related to the client certificates in any way.

hardillb
  • 54,545
  • 11
  • 67
  • 105
  • I guess that explains it :) so I will need to follow this: https://jamielinux.com/docs/openssl-certificate-authority/ – TDawg Apr 23 '21 at 13:37