400 Bad Request: The SSL certificate error

ccs received early

Looks like a fallout from fixes for CVE-2014-0224. Since patches seems to be available check that your system is up-to-date or report the bug to your distributor.

More details might be available if you would add information about the server system you are running, especially which OS, which version of OpenSSL and which patches.

First of all, enable debug log in nginx.conf:

error_log  logs/error.log debug;

And restart nginx. Then repeat the request and check the log file. Find the first line with verify:0:

2019/12/05 22:34:50 [debug] 5980#9776: *17 verify:0, error:20, depth:0, subject:"/CN=...", issuer:"/CN=..."

Here you see error:20. The error code comes from OpenSSL. Here you can find the constant name by code and here the corresponding description by constant name.

Alternatively you can verify the certificate using openssl command line tool:

openssl verify -CAfile ca.crt client.crt

To verify it as the server sees it, ca.crt has to be the file listed in ssl_client_certificate or ssl_trusted_certificate directive in nginx.conf.

To verify the certificate on its own, ca.crt has to be the certificate that was used to sign client.crt. If it is self-signed, it'll be client.crt itself (client.crt will be twice in a row).

If you're getting error 20 specifically and your client certificate is self-signed, you might have encountered this bug. To fix it you should either drop keyUsage from your certificate entirely or add keyCertSign to the list. To verify whether you've stumbled upon it, check whether Key Usage is listed in X509v3 extensions: section in the output of the following command:

openssl x509 -in client.crt -text -noout

The certificate I used to sign another one was not CA so it simply could not be verified, so that's why I had this error from openssl verify command:

error 20 at 0 depth lookup:unable to get local issuer certificate

If you're not CA then obviously there's nothing you can do about it.