Client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers

Troubleshooting
1

My issue:
I want to use ssl_crl to verify the client certificate’s revocation status, but it didn’t work fine for me, while the browser shows “The SSL certificate error”, and the nginx’s error.log shows “client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers”

How I encountered the problem:
while I config a CRL file and want to check the revocation status with browser certificate.

Solutions I’ve tried:
I checked the permission of CRL file, and the “openssl crl” can shows the content normally.

Further more, I used “openssl verify -crl_check -CAfile $(step path)/certs/ca-chain.crt -CRLfile ~/stepca/crl.pem ~/stepca/crl.crt” to simulated crl_check, it shows normally as well.

My config:
[nginx.conf]:
ssl_certificate conf.d/certs/.lego/certificates/192.168.195.102.crt;
ssl_certificate_key conf.d/certs/.lego/certificates/192.168.195.102.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;

 ssl_verify_client optional;
 ssl_client_certificate  conf.d/certs/ca-chain.crt;
 ssl_verify_depth 2;

 ssl_crl conf.d/crl/crl.pem;
2

supply the version of nginx and openssl:
nginx 1.26.3
openssl 1.1.1w

3

Did you verify that the path for the crl file is correct in the nginx config? In the openssl it is referencing ~/stepca/crl.pem , but the config is using conf.d/crl/crl.pem, which ends up as /etc/nginx/conf.d/crl/crl.pem with a standard installation.