If you are using Nginx as a reverse proxy and trying to inject client certificates you may run into a Server 400 “No required SSL certificate was sent” error. I spent a few hours debugging this issue and thought I’d share my findings. The problem is fairly subtle and easy to over look/miss, numerous other people have ran into it. The problem is that the backend server is using SNI (Server Name Indication, basically allows multiple SSL/TLS certs on a single IP). You must explicitly tell Nginx to pass forward the domain name in the TLS handshake, so that the final destination (your backend) knows which SSL/TLS cert to serve.

Following the Nginx proxy documentation, you would set the required directives and expect it to work, so your configuration might look something like:

location / {
        proxy_pass                 https://api-backend.somesite.com/;
        proxy_ssl_certificate      /etc/nginx/conf.d/ssl/client.crt;
        proxy_ssl_certificate_key  /etc/nginx/conf.d/ssl/client.key;
}


The solution is to just add and extra directive to enable SNI , the directive is called “proxy_ssl_server_name“. A working example would be:
location / {
        proxy_pass                 https://api-backend.somesite.com/;
        proxy_ssl_server_name      on;
        proxy_ssl_certificate      /etc/nginx/conf.d/ssl/client.crt;
        proxy_ssl_certificate_key  /etc/nginx/conf.d/ssl/client.key;
}


 Restart Nginx and test with your browser again, all should be working!

1 Comment » for Nginx Proxy Pass, resolving “No required SSL certificate was sent”
  1. Patrick Ekkel says:

    Hey Man,

    1. Saw your post
    2. applied fix
    3. Profit!!!

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

*