https://support.cryptopro.ru/index.php?/Knowledgebase/Article/View/440/0/nginx-gost-binary-packages

debian:stable-20241202-slim

server {
listen 8443 sspi; #включаем SSPI
server_name XXXXXXXXXXXXXXXXXXXX.ru;

sspi_certificate 0x7C001XXXXXXXXXXXXXXXXXXXX7000B0017DF60; # GOST Serial
sspi_protocols TLSv1.2;

location / {
root /var/opt/cprocsp/cpnginx/html;
index index.html;
}

}

2024/12/20 16:51:44 [warn] 1#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/opt/cprocsp/cpnginx/cpnginx.conf:2
2024/12/20 16:51:44 [notice] 1#0: using the "epoll" event method
2024/12/20 16:51:44 [notice] 1#0: nginx/1.22.1
2024/12/20 16:51:44 [notice] 1#0: built by gcc 9.3.1 20200408 (Red Hat 9.3.1-2) (GCC)
2024/12/20 16:51:44 [notice] 1#0: OS: Linux 5.10.104-linuxkit
2024/12/20 16:51:44 [notice] 1#0: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2024/12/20 16:51:44 [notice] 1#0: start worker processes
2024/12/20 16:51:44 [notice] 1#0: start worker process 7
2024/12/20 16:51:44 [notice] 1#0: start worker process 8
2024/12/20 16:51:44 [notice] 1#0: start worker process 9
2024/12/20 16:51:44 [notice] 1#0: start worker process 10
2024/12/20 16:51:44 [notice] 1#0: start worker process 11
2024/12/20 16:51:44 [notice] 1#0: start worker process 12
2024/12/20 16:51:44 [emerg] 9#0: AcquireCredentialsHandle failed: 0x80090307
2024/12/20 16:51:44 [emerg] 10#0: AcquireCredentialsHandle failed: 0x80090307
2024/12/20 16:51:44 [emerg] 7#0: AcquireCredentialsHandle failed: 0x80090307
2024/12/20 16:51:44 [emerg] 8#0: AcquireCredentialsHandle failed: 0x80090307
2024/12/20 16:51:44 [emerg] 12#0: AcquireCredentialsHandle failed: 0x80090307
2024/12/20 16:51:44 [emerg] 11#0: AcquireCredentialsHandle failed: 0x80090307
2024/12/20 16:52:35 [error] 12#0: *1 no "sspi_certificate" is defined in server listening on SSPI port, or SSPI credentials are invalid while SSPI handshaking, client: 172.17.0.2, server: 0.0.0.0:8443

Certmgr Ver:5.0.13000 OS:Linux CPU:AMD64 (c) "Crypto-Pro", 2007-2024.
Program for managing certificates, CRLs and stores.
=============================================================================
1-------
Issuer : ОГРН=1234567890123, ИНН=001234567890, STREET=ул. Сущёвский вал д. 18, C=RU, S=г. Москва, L=Москва, O="ООО ""КРИПТО-ПРО""", CN="Тестовый УЦ ООО ""КРИПТО-ПРО"""
Subject : CN=XXXXXXXXXXXXXXXXXXXX.ru
Serial : 0x7C001XXXXXXXXXXXXXXXXXXXX7000B0017DF60
SHA1 Thumbprint : d72aea17679726983478b87ac257130ad65749e7
SubjectKeyID : 8f19a5b0cf55a963e2a40187c1bdf8e15ed76f8e
Signature Algorithm : ГОСТ Р 34.11-2012/34.10-2012 256 бит
PublicKey Algorithm : ГОСТ Р 34.10-2012 256 бит (512 bits)
Not valid before : 16/12/2024 10:45:20 UTC
Not valid after : 16/02/2025 10:55:20 UTC
PrivateKey Link : Yes
Container : HDIMAGE\\XXXX-pro.000\64AA
Provider Name : Crypto-Pro GOST R 34.10-2012 KC1 CSP
Provider Info : Provider Type: 80, Key Spec: 1, Flags: 0x0
OCSP URL : http://testgost2012.cryp...ro.ru/ocsp2012g/ocsp.srf
OCSP URL : http://testgost2012.cryp....ru/ocsp2012gst/ocsp.srf
CA cert URL : http://testgost2012.cryp...oll/testgost2012(11).crt
CA cert URL : http://testgost2012.cryp.../CertEnroll/testroot.p7b
CDP : http://testgost2012.cryptopro.ru/CertEnroll/!0422!0435!0441!0442!043e!0432!044b!0439%20!0423!0426%20!041e!041e!041e%20!0022!041a!0420!0418!041f!0422!041e-!041f!0420!041e!0022(11).crl
CDP : http://testgost2012.cryp...oll/testgost2012(11).crl
Extended Key Usage : 1.3.6.1.5.5.7.3.1 Проверка подлинности сервера
=============================================================================

[ErrorCode: 0x00000000]

/opt/cprocsp/sbin/amd64/cpconfig -license -view
License validity:
5XXXXXXXXXXXXXXXXXXXXK1
license - permanent
License type: Server.

/opt/cprocsp/bin/amd64/curl -vvv https://XXXXXXXXXXXXXXXXXXXX.ru:8443
* Trying 172.17.0.2:8443...
* TCP_NODELAY set
* Connected to XXXXXXXXXXXXXXXXXXXX.ru (172.17.0.2) port 8443 (#0)
* schannel: failed to receive handshake, SSL/TLS connection failed
* Closing connection 0
* schannel: shutting down SSL/TLS connection with XXXXXXXXXXXXXXXXXXXX.ru port 8443
* Send failure: Broken pipe
* schannel: failed to send close msg: Failed sending data to the peer (bytes written: -1)
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

/var/opt/cprocsp/keys/
total 24
drwxrwxrwt 1 root root 4096 Dec 9 13:59 .
drwxr-xr-x 1 root root 4096 Dec 6 13:21 ..
drwx------ 1 cpnginx cpnginx 4096 Dec 9 13:59 cpnginx
drwx------ 3 root root 4096 Dec 6 13:21 root

/var/opt/cprocsp/keys/cpnginx/
total 20
drwx------ 1 cpnginx cpnginx 4096 Dec 9 13:59 .
drwxrwxrwt 1 root root 4096 Dec 9 13:59 ..
drwx------ 1 cpnginx cpnginx 4096 Dec 20 07:45 ХХХХ-pro.000

/var/opt/cprocsp/keys/cpnginx/ХХХХ-pro.000/
total 36
drwx------ 1 cpnginx cpnginx 4096 Dec 20 07:45 .
drwx------ 1 cpnginx cpnginx 4096 Dec 9 13:59 ..
-rw------- 1 cpnginx cpnginx 1390 Dec 16 13:34 header.key
-rw------- 1 cpnginx cpnginx 56 Dec 16 13:34 masks.key
-rw------- 1 cpnginx cpnginx 56 Dec 16 13:34 masks2.key
-rw------- 1 cpnginx cpnginx 28 Dec 16 13:34 name.key
-rw------- 1 cpnginx cpnginx 36 Dec 16 13:34 primary.key
-rw------- 1 cpnginx cpnginx 36 Dec 16 13:34 primary2.key