client certificate error
Paulo Wollny
ppjjvvww at gmail.com
Tue Jun 29 22:23:21 UTC 2021
Dear @ll
My environment:
OpenSSL 1.1.1f 31 Mar 2020
Ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-06-17T18:27:53
My problem:
connecting to a secure server requiring client certificate, i get the
following error when presenting my certificate:
ERR_BAD_SSL_CLIENT_AUTH_CERT
It started to fail after the previous one voided and i issued a new one.
CA, the same, server cert, renewed after previous voided.
My server conf:
<VirtualHost *:443>
ServerAdmin webmaster at localhost
DocumentRoot /home/www/
# Available loglevels: trace8, ..., trace1, debug,
info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for
particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog /var/log/apache2/ssl_engine.log
LogLevel debug
#ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/,
which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host.
For example the
# following line enables the CGI configuration for this
host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1.3
#SSLProtocol all
#SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW
!3DES !MD5 !EXP !PSK !SRP !DSS"
# A self-signed (snakeoil) certificate can be created
by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same
file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/private/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile
/etc/ssl/certs/PSign_TrustCenter_Root_CA-I.pem
SSLCACertificateFile /etc/ssl/private/fullchain.crt
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which
form the
# certificate chain for the server certificate.
Alternatively
# the referenced file can be the same as
SSLCertificateFile
# when the CA certificates are directly appended to
the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to
find CA
# certificates for client authentication or
alternatively one
# huge file containing all of them (file must be PEM
encoded)
# Note: Inside SSLCACertificatePath you need hash
symlinks
# to point to the certificate files. Use
the provided
# Makefile to update the hash symlinks
after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs
for client
# authentication or alternatively one huge file
containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use
the provided
# Makefile to update the hash symlinks
after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth.
Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the
certificate
# issuer chain before deciding the certificate is not
valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic
Authorisation. This means that
# the standard Auth/DBMAuth methods can be used
for access control. The
# user name is the `one line' version of the
client's X.509 certificate.
# Note that no password is obtained from the
user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment
variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded
certificates of the
# server (always existing) and the client (only
existing when client
# authentication is used). This can be used to
import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related
`SSL_*' environment variables.
# Per default this exportation is switched off
for performance reasons,
# because the extraction step is an expensive
operation and is usually
# useless for serving static content. So one
usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection
renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard
compliant shutdown
# approach is that mod_ssl sends the close notify
alert but doesn't wait for
# the close notify alert from client. When you need a
different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the
connection is closed, i.e. no
# SSL close notify alert is send or allowed to
received. This violates
# the SSL/TLS standard but is needed for some
brain-dead browsers. Use
# this when you receive I/O errors because of
the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the
connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl
waits for the close notify
# alert of the client. This is 100% SSL/TLS
standard compliant, but in
# practice often causes hanging connections with
brain-dead browsers. Use
# this only for browsers where you know that
their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also
related to the HTTP
# keep-alive facility, so you usually additionally
want to disable
# keep-alive for those clients, too. Use variable
"nokeepalive" for this.
# Similarly, one has to force some clients to use
HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables
"downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
# private
Alias /ssl/ /home/www/html-ssl-certs/
<location /ssl/>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +StdEnvVars +ExportCertData
AuthType Basic
AuthName "Protected User access required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
DirectoryIndex phpinfo.php
DirectoryIndexRedirect permanent
Order deny,allow
Allow from all
</location>
</VirtualHost>
log shows:
[Tue Jun 29 19:15:43.024571 2021] [socache_shmcb:debug] [pid 241359]
mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0xae ->
subcache 14)
[Tue Jun 29 19:15:43.024597 2021] [socache_shmcb:debug] [pid 241359]
mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:43.024605 2021] [socache_shmcb:debug] [pid 241359]
mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve
successfully
[Tue Jun 29 19:15:43.024632 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching
SSL virtual host for servername localhost found (using default/first
virtual host)
[Tue Jun 29 19:15:43.024700 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching
SSL virtual host for servername localhost found (using default/first
virtual host)
[Tue Jun 29 19:15:43.024711 2021] [core:debug] [pid 241359]
protocol.c(2313): [client 127.0.0.1:57022] AH03155: select protocol from
, choices=h2,http/1.1 for server hp15pw
[Tue Jun 29 19:15:43.026143 2021] [ssl:info] [pid 241355] [client
127.0.0.1:57024] AH01964: Connection to child 0 established (server
hp15pw:443)
[Tue Jun 29 19:15:43.026407 2021] [socache_shmcb:debug] [pid 241355]
mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x07 ->
subcache 7)
[Tue Jun 29 19:15:43.026424 2021] [socache_shmcb:debug] [pid 241355]
mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:43.026429 2021] [socache_shmcb:debug] [pid 241355]
mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve
successfully
[Tue Jun 29 19:15:43.026449 2021] [ssl:debug] [pid 241355]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching
SSL virtual host for servername localhost found (using default/first
virtual host)
[Tue Jun 29 19:15:43.026489 2021] [ssl:debug] [pid 241355]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching
SSL virtual host for servername localhost found (using default/first
virtual host)
[Tue Jun 29 19:15:43.026497 2021] [core:debug] [pid 241355]
protocol.c(2313): [client 127.0.0.1:57024] AH03155: select protocol from
, choices=h2,http/1.1 for server hp15pw
[Tue Jun 29 19:15:43.321198 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.323322 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(415): [client 127.0.0.1:57022] AH02034: Initial
(No.1) HTTPS request received for child 4 (server hp15pw:443)
[Tue Jun 29 19:15:43.323413 2021] [ssl:debug] [pid 241355]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57024] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.323733 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(782): [client 127.0.0.1:57022] AH02255: Changed
client verification type will force renegotiation
[Tue Jun 29 19:15:43.323837 2021] [ssl:info] [pid 241359] [client
127.0.0.1:57022] AH02221: Requesting connection re-negotiation
[Tue Jun 29 19:15:43.323893 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(984): [client 127.0.0.1:57022] AH02260: Performing
full renegotiation: complete handshake protocol (client does support
secure renegotiation)
[Tue Jun 29 19:15:43.324148 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.324265 2021] [ssl:info] [pid 241359] [client
127.0.0.1:57022] AH02226: Awaiting re-negotiation handshake
[Tue Jun 29 19:15:43.324869 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching
SSL virtual host for servername localhost found (using default/first
virtual host)
[Tue Jun 29 19:15:43.331104 2021] [ssl:error] [pid 241359] [client
127.0.0.1:57022] AH02261: Re-negotiation handshake failed
[Tue Jun 29 19:15:43.331256 2021] [ssl:debug] [pid 241359]
ssl_engine_io.c(1368): (70014)End of file found: [client
127.0.0.1:57022] AH02007: SSL handshake interrupted by system [Hint:
Stop button pressed in browser?!]
[Tue Jun 29 19:15:43.331328 2021] [ssl:info] [pid 241359] [client
127.0.0.1:57022] AH01998: Connection closed to child 4 with abortive
shutdown (server hp15pw:443)
[Tue Jun 29 19:15:45.526753 2021] [ssl:info] [pid 241355] (70014)End of
file found: [client 127.0.0.1:57024] AH01991: SSL input filter read failed.
[Tue Jun 29 19:15:45.527179 2021] [ssl:debug] [pid 241355]
ssl_engine_io.c(1102): [client 127.0.0.1:57024] AH02001: Connection
closed to child 0 with standard shutdown (server hp15pw:443)
[Tue Jun 29 19:15:45.537952 2021] [ssl:info] [pid 241357] [client
127.0.0.1:57026] AH01964: Connection to child 2 established (server
hp15pw:443)
[Tue Jun 29 19:15:45.538859 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x68 ->
subcache 8)
[Tue Jun 29 19:15:45.538910 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:45.538929 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve
successfully
[Tue Jun 29 19:15:45.538994 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching
SSL virtual host for servername localhost found (using default/first
virtual host)
[Tue Jun 29 19:15:45.539162 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching
SSL virtual host for servername localhost found (using default/first
virtual host)
[Tue Jun 29 19:15:45.539188 2021] [core:debug] [pid 241357]
protocol.c(2313): [client 127.0.0.1:57026] AH03155: select protocol from
, choices=h2,http/1.1 for server hp15pw
[Tue Jun 29 19:15:45.574552 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:45.589868 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(415): [client 127.0.0.1:57026] AH02034: Initial
(No.1) HTTPS request received for child 2 (server hp15pw:443)
[Tue Jun 29 19:15:45.590043 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(782): [client 127.0.0.1:57026] AH02255: Changed
client verification type will force renegotiation
[Tue Jun 29 19:15:45.590051 2021] [ssl:info] [pid 241357] [client
127.0.0.1:57026] AH02221: Requesting connection re-negotiation
[Tue Jun 29 19:15:45.590124 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(984): [client 127.0.0.1:57026] AH02260: Performing
full renegotiation: complete handshake protocol (client does support
secure renegotiation)
[Tue Jun 29 19:15:45.590251 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:45.590261 2021] [ssl:info] [pid 241357] [client
127.0.0.1:57026] AH02226: Awaiting re-negotiation handshake
[Tue Jun 29 19:15:45.590535 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching
SSL virtual host for servername localhost found (using default/first
virtual host)
[Tue Jun 29 19:15:45.592237 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0x4c ->
subcache 12)
[Tue Jun 29 19:15:45.592290 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully
[Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client
127.0.0.1:57026] AH02261: Re-negotiation handshake failed
[Tue Jun 29 19:15:45.592456 2021] [ssl:error] [pid 241357] SSL Library
Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer
did not return a certificate -- No CAs known to server for verification?
[Tue Jun 29 19:15:45.592643 2021] [ssl:debug] [pid 241357]
ssl_engine_io.c(1368): [client 127.0.0.1:57026] AH02007: SSL handshake
interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Jun 29 19:15:45.592662 2021] [ssl:info] [pid 241357] [client
127.0.0.1:57026] AH01998: Connection closed to child 2 with abortive
shutdown (server hp15pw:443)
root at hp15pw:/var/log/apache2#
Any cue? I'm not being able to find out what is wrong.
Thx in advance.
More information about the openssl-users
mailing list