CURL auth «400 Неверный запрос: ошибка сертификата SSL» ⇐ Php

[Гость]

У меня есть два сервера Debian с nginx и php. Сервер 1 действует как «клиент», Сервер 2 — как «сервер».
У «сервера» есть REST API, и я пытаюсь аутентифицировать «клиент» на «сервере» с помощью следующего сценария.

Код: Выделить всё

    $data   = json_encode(
[
"name"      => '',
"password"  => '',
]
);

$url = BASIC_URL."/authenticate/v1";
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL,$url);
curl_setopt( $ch, CURLOPT_POST, 1);
curl_setopt( $ch, CURLOPT_POSTFIELDS, $data);
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
curl_setopt( $ch, CURLOPT_SSLCERT, ROOT_PATH . '/config/certificates/client.crt');
curl_setopt( $ch, CURLOPT_SSLKEY, ROOT_PATH . '/config/certificates/client.key');
curl_setopt( $ch, CURLOPT_VERBOSE, true);

curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true);
$server_output = curl_exec( $ch );
curl_close( $ch);

Я создал сертификаты со следующим

Код: Выделить всё

openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt -subj "/C=/ST=/L=/O=/CN="

openssl genpkey -algorithm RSA -out client.key -pkeyopt rsa_keygen_bits:2048
openssl req -new -key client.key -out client.csr -subj "/C=/ST=/L=/O=/CN="
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048
openssl req -new -key server.key -out server.csr -subj "/C=/ST=/L=/O=/CN="
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

Моя конфигурация nginx с «сервера» выглядит так

Код: Выделить всё

server {
server_name  www.;

root 
/public/;
index index.php index.html index.htm;

rewrite ^/index\.html$ /index.php last;

location / {
try_files $uri $uri/ /index.php?$args;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}

# SSL-Konfigurationen
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live//fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live//privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live//chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot

ssl_client_certificate /var/www///ca.crt;
ssl_verify_client optional;
}

server {
if ($host = ) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
server_name  www.;
root ;
index index.php index.html index.htm;

rewrite ^/index\.html$ /index.php last;

location / {
try_files $uri $uri/ /index.php?$args;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
}

используя следующее, я получаю тот же md5

Код: Выделить всё

openssl x509 -noout -modulus -in client.crt | openssl md5
openssl rsa -noout -modulus -in client.key | openssl md5

using openssl verify -CAfile ca.crt client.crt just gives a client.crt: OK
The /var/log/nginx/error.log does not says anything relevant.
I only have the following error message "400 Bad Request - The SSL certificate error"

...any ideas?


Источник: https://stackoverflow.com/questions/781 ... cate-error