A small post on the “The ssl certificate error” message thrown by my NGINX server. I spent some time to figure what happens so I hope this post can help others. :)
It was related to my client certificate configuration in this case but it could have been a lot of other things.
The thing problematic with this message is it’s not generating any error log by default. You have a web page with this message. And you see this kind of entry in your web server access log:
220.127.116.11 - - [30/Jan/2017:11:57:13 +0100] "GET / HTTP/1.1" 400 224 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Firefox/45.0"
It’s because it’s not an error at the NGINX server level. To see what is the real problem, you need to change the log verbosity in your NGINX configuration. By default, it will log only error level messages.
So changing the error log in the configuration file from:
error_log /var/log/nginx/graylog_error.log info;
Will log every messages with severity level info and above.
So after retrying the same web page, this time we have an information in the error log:
2017/01/30 12:32:46 [info] 8651#8651: *4 client SSL certificate verify error: (12:CRL has expired) while reading client request headers, client: 10.10.10.17, server: log.djouxtech.net, request: "GET /api/streams HTTP/1.1", host: "log.djouxtech.net"
This message is pretty clear. My Certification Revalidation List was expired. The default expiration time is 30 days. I only needed t renew it to fix my problem. This error can have multiple causes, changing the log level in NGINX allows to quickly find what is happening.