# Should fail with 400 or 403 (no cert)
curl -k -X GET https://ldap.cicd.example.com/ -v 2>&1 | grep "< HTTP"
# Should succeed (with cert)
curl -k --cert user.crt --key user.key https://ldap.cicd.example.com/ -v 2>&1 | grep "< HTTP"
tail -f /var/log/nginx/error.log
Note: ssl_verify_client on rejections do NOT appear in the error log. Only optional mode logs verification results.
tail -f /var/log/nginx/access.log
Look for 400 (TLS-level rejection) vs 403 (HTTP-level rejection) vs 419/500 (application error).
Add a debug header inside the location / block:
add_header X-Debug-Server "block-name" always;
Check the response headers in browser DevTools → Network tab. If the header is missing, the request was rejected before reaching the location block.
curl -k --cert user.crt --key user.key \
https://ldap.cicd.example.com/ -v
curl -k --cert user.crt --key user.key \
-X POST https://ldap.cicd.example.com/ajax/bases \
-H "X-CSRF-TOKEN: test" \
-H "Cookie: phpldapadmin_session=test" \
-v
openssl s_client -connect ldap.cicd.example.com:443 2>&1 | grep -A5 "Acceptable client certificate"
Settings → Privacy & Security → Certificates → View Certificates → Your Certificates
Close all tabs to the domain, then clear the SSL state: - Settings → Privacy & Security → Certificates → View Certificates → delete the cert decision - Or restart Firefox entirely
In browser DevTools → Network tab, click the initial GET request → Response Headers. Look for:
Set-Cookie: client_cert_verified=1; Path=/; Secure; HttpOnly; SameSite=Strict
In browser DevTools → Network tab, click the AJAX POST request → Request Headers. Look for:
Cookie: client_cert_verified=1; ...
Add to the nginx log format temporarily:
log_format debug '$remote_addr - $ssl_client_verify - $cookie_client_cert_verified - $request';
access_log /var/log/nginx/debug.log debug;
This logs the cert verification status and cookie value for each request.
| Symptom | Cause | Fix |
|---|---|---|
| 400 on all requests | Client cert not installed or wrong CA | Check cert installation in browser |
| 400 only on AJAX | Browser not sending cert on XHR connections | Apply session cookie workaround |
| 403 on all requests | Cert sent but verification fails | Check CA cert path in nginx, check cert expiry |
| Page loads, AJAX 400, no error log | ssl_verify_client on TLS rejection |
Switch to optional + cookie workaround |
| Cookie not being set | Initial page load also failing | Check cert is valid and CA matches |