Setting Nginx with LetsEncrypt and Client SSL Certificates
Client SSL Certificates are used to authenticate client to establish SSL connection. It can be used for all connections with SSL, eg. HTTPS, SSL, SFTP, IMAP, PostgreSQL, etc. Client certificate is usually a .pem file that clients use to make connection
Why?
Add client authentication on load balancer that not affecting underlying protocol, for example raw socket, SSH.
While Letsencrypt certificates are valid for 3 months and not support creating client certificates associated by it, we will use self signed certificate that can be used for any period of time. , here is how to make it:
1. Create self signed SSL certificate and key
openssl genrsa -out client.key 4096
openssl req -new -x509 -days 365 -key client.key -out client.crt2. Configure Nginx
Following configuration can be used for HTTP load balancing and TCP load balancing (stream)
server {
listen 32500 ssl; # managed by Letsencyrpt/Certbot
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_session_timeout 4h;
ssl_handshake_timeout 30s; # our self signed certificate
ssl_verify_client on;
ssl_client_certificate /etc/nginx/ssl_client.crt; ... #
}
3. Use on a client
Client will need to use client.key and client.crt that we generated earlier. Command openssl s_client works as telnet but for SSL connections
openssl s_client -connect mysite.com:32500 -cert client.crt -key client.keyUse with curl
curl -v https://mysite.com — cert client.crt — key client.keyUse with ruby client
