No problem. For all, here is my final certicates cmd and nginx config. nginx above version 1.19.4 required.
Convert certificates:
server dir:
openssl rsa -inform DER -in teddy-key.pem -out ttt-teddy-key.pem
openssl rsa -inform DER -in ca-key.pem -out ttt-ca-key.pem
cat teddy-cert.pem ttt-teddy-key.pem ca-root.pem ttt-ca-key.pem > fullchain.pem
client dir:
openssl x509 -inform DER -in ca.der -out ca.pem
openssl x509 -inform DER -in client.der -out client.pem
openssl rsa -inform DER -in private.der -out private.pem
nginx http-config (must be the first load “server”-config with port 443):
## SSL SHA1 fingerprints with "grep -v ^- FILENAME | base64 -d | sha1sum"
map $ssl_client_fingerprint $reject {
default 1;
"your_fingerprint" 0; # client/ca.pem
"your_fingerprint" 0; # client/client.pem
}
server {
## TeddyCloud subdomain
listen 443 ssl;
server_name YOUR_DOMAIN;
## Reject connection if ssl fingerprint from remote is unknown
if ($reject) {
return 301 https://www.google.de;
}
## Edit ssl protocols and ciphers
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL;
## Server's certificate and private key
ssl_certificate /etc/nginx/certs/teddycloud/server/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/teddycloud/server/teddy-key.pem;
## Require client certificate
ssl_client_certificate /etc/nginx/certs/teddycloud/client/ca.pem;
ssl_verify_client optional_no_ca;
## Root location of subdomain
location / {
proxy_pass https://192.168.1.45:443;
proxy_ssl_certificate /etc/nginx/certs/teddycloud/client/client.pem;
proxy_ssl_certificate_key /etc/nginx/certs/teddycloud/client/private.pem;
proxy_ssl_conf_command Options UnsafeLegacyRenegotiation;
}
}