Currently i try to implement the AWS API Gateway Client Authentication with NGINX Backend Servers. I want to prevent access to my api except than AWS API-Gateway. I have created a client certificate on the AWS API Gateway Console(PEM encoded) and set up my virtual host config as follows. I'm using already a CA signed wildcard certificate to access the subdomain.
server {
listen 443;
server_name api.example.com;
if ($bad_client) { return 403; }
root /usr/share/nginx/api.example.com/public;
index index.php;
ssl on;
ssl_stapling on;
ssl_trusted_certificate aws-cert.pem;
ssl_verify_client on;
ssl_certificate /etc/nginx/ssl/ca-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_session_timeout 10m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
error_page 404 /404.html;
location /404.html {
internal;
}
location / {
try_files $uri.html $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PHP_VALUE "error_log=/var/log/php5-fpm.log";
}
location ~ /\.ht {
deny all;
}
}
I get the following error message and the whole nginx service is not available any more. The docs of Amazon are not very helpful. What i'm doing wrong?
[emerg] 19636#0: no ssl_client_certificate for ssl_client_verify
