client certificate error

Paulo Wollny ppjjvvww at gmail.com
Tue Jun 29 22:23:21 UTC 2021


Dear @ll

My environment:

OpenSSL 1.1.1f  31 Mar 2020

Ubuntu 20.04

Server version: Apache/2.4.41 (Ubuntu)
Server built:   2021-06-17T18:27:53

My problem:

connecting to a secure server requiring client certificate, i get the 
following error when presenting my certificate:

ERR_BAD_SSL_CLIENT_AUTH_CERT

It started to fail after the previous one voided and i issued a new one.

CA, the same, server cert, renewed after previous voided.

My server conf:

<VirtualHost *:443>
                 ServerAdmin webmaster at localhost

                 DocumentRoot /home/www/

                 # Available loglevels: trace8, ..., trace1, debug, 
info, notice, warn,
                 # error, crit, alert, emerg.
                 # It is also possible to configure the loglevel for 
particular
                 # modules, e.g.
                 #LogLevel info ssl:warn

                 ErrorLog /var/log/apache2/ssl_engine.log
                 LogLevel debug

                 #ErrorLog ${APACHE_LOG_DIR}/error.log
                 CustomLog ${APACHE_LOG_DIR}/access.log combined

                 # For most configuration files from conf-available/, 
which are
                 # enabled or disabled at a global level, it is possible to
                 # include a line for only one particular virtual host. 
For example the
                 # following line enables the CGI configuration for this 
host only
                 # after it has been globally disabled with "a2disconf".
                 #Include conf-available/serve-cgi-bin.conf

                 #   SSL Engine Switch:
                 #   Enable/Disable SSL for this virtual host.
                 SSLEngine on

                 SSLProtocol all -SSLv3 -TLSv1.3
                 #SSLProtocol all
                 #SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
                 SSLHonorCipherOrder on
                 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW 
!3DES !MD5 !EXP !PSK !SRP !DSS"

                 #   A self-signed (snakeoil) certificate can be created 
by installing
                 #   the ssl-cert package. See
                 #   /usr/share/doc/apache2/README.Debian.gz for more info.
                 #   If both key and certificate are stored in the same 
file, only the
                 #   SSLCertificateFile directive is needed.
                 SSLCertificateFile /etc/ssl/private/server.crt
                 SSLCertificateKeyFile /etc/ssl/private/server.key
                 SSLCACertificatePath /etc/ssl/certs/
                 #SSLCACertificateFile 
/etc/ssl/certs/PSign_TrustCenter_Root_CA-I.pem
                 SSLCACertificateFile /etc/ssl/private/fullchain.crt


                 #   Server Certificate Chain:
                 #   Point SSLCertificateChainFile at a file containing the
                 #   concatenation of PEM encoded CA certificates which 
form the
                 #   certificate chain for the server certificate. 
Alternatively
                 #   the referenced file can be the same as 
SSLCertificateFile
                 #   when the CA certificates are directly appended to 
the server
                 #   certificate for convinience.
                 #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

                 #   Certificate Authority (CA):
                 #   Set the CA certificate verification path where to 
find CA
                 #   certificates for client authentication or 
alternatively one
                 #   huge file containing all of them (file must be PEM 
encoded)
                 #   Note: Inside SSLCACertificatePath you need hash 
symlinks
                 #                to point to the certificate files. Use 
the provided
                 #                Makefile to update the hash symlinks 
after changes.
                 #SSLCACertificatePath /etc/ssl/certs/
                 #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

                 #   Certificate Revocation Lists (CRL):
                 #   Set the CA revocation path where to find CA CRLs 
for client
                 #   authentication or alternatively one huge file 
containing all
                 #   of them (file must be PEM encoded)
                 #   Note: Inside SSLCARevocationPath you need hash symlinks
                 #                to point to the certificate files. Use 
the provided
                 #                Makefile to update the hash symlinks 
after changes.
                 #SSLCARevocationPath /etc/apache2/ssl.crl/
                 #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

                 #   Client Authentication (Type):
                 #   Client certificate verification type and depth. 
Types are
                 #   none, optional, require and optional_no_ca.  Depth is a
                 #   number which specifies how deeply to verify the 
certificate
                 #   issuer chain before deciding the certificate is not 
valid.
                 #SSLVerifyClient require
                 #SSLVerifyDepth  10

                 #   SSL Engine Options:
                 #   Set various options for the SSL engine.
                 #   o FakeBasicAuth:
                 #        Translate the client X.509 into a Basic 
Authorisation.  This means that
                 #        the standard Auth/DBMAuth methods can be used 
for access control.  The
                 #        user name is the `one line' version of the 
client's X.509 certificate.
                 #        Note that no password is obtained from the 
user. Every entry in the user
                 #        file needs this password: `xxj31ZMTZzkVA'.
                 #   o ExportCertData:
                 #        This exports two additional environment 
variables: SSL_CLIENT_CERT and
                 #        SSL_SERVER_CERT. These contain the PEM-encoded 
certificates of the
                 #        server (always existing) and the client (only 
existing when client
                 #        authentication is used). This can be used to 
import the certificates
                 #        into CGI scripts.
                 #   o StdEnvVars:
                 #        This exports the standard SSL/TLS related 
`SSL_*' environment variables.
                 #        Per default this exportation is switched off 
for performance reasons,
                 #        because the extraction step is an expensive 
operation and is usually
                 #        useless for serving static content. So one 
usually enables the
                 #        exportation for CGI and SSI requests only.
                 #   o OptRenegotiate:
                 #        This enables optimized SSL connection 
renegotiation handling when SSL
                 #        directives are used in per-directory context.
                 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                 SSLOptions +StdEnvVars
                 </FilesMatch>
                 <Directory /usr/lib/cgi-bin>
                                 SSLOptions +StdEnvVars
                 </Directory>

                 #   SSL Protocol Adjustments:
                 #   The safe and default but still SSL/TLS standard 
compliant shutdown
                 #   approach is that mod_ssl sends the close notify 
alert but doesn't wait for
                 #   the close notify alert from client. When you need a 
different shutdown
                 #   approach you can use one of the following variables:
                 #   o ssl-unclean-shutdown:
                 #        This forces an unclean shutdown when the 
connection is closed, i.e. no
                 #        SSL close notify alert is send or allowed to 
received.  This violates
                 #        the SSL/TLS standard but is needed for some 
brain-dead browsers. Use
                 #        this when you receive I/O errors because of 
the standard approach where
                 #        mod_ssl sends the close notify alert.
                 #   o ssl-accurate-shutdown:
                 #        This forces an accurate shutdown when the 
connection is closed, i.e. a
                 #        SSL close notify alert is send and mod_ssl 
waits for the close notify
                 #        alert of the client. This is 100% SSL/TLS 
standard compliant, but in
                 #        practice often causes hanging connections with 
brain-dead browsers. Use
                 #        this only for browsers where you know that 
their SSL implementation
                 #        works correctly.
                 #   Notice: Most problems of broken clients are also 
related to the HTTP
                 #   keep-alive facility, so you usually additionally 
want to disable
                 #   keep-alive for those clients, too. Use variable 
"nokeepalive" for this.
                 #   Similarly, one has to force some clients to use 
HTTP/1.0 to workaround
                 #   their broken HTTP/1.1 implementation. Use variables 
"downgrade-1.0" and
                 #   "force-response-1.0" for this.
                 # BrowserMatch "MSIE [2-6]" \
                 #               nokeepalive ssl-unclean-shutdown \
                 #               downgrade-1.0 force-response-1.0


# private
        Alias /ssl/ /home/www/html-ssl-certs/
        <location /ssl/>
              SSLVerifyClient require
              SSLVerifyDepth       5
              SSLOptions +StdEnvVars +ExportCertData
              AuthType Basic
              AuthName "Protected User access required"
              AuthUserFile /etc/apache2/.htpasswd
              Require valid-user
              DirectoryIndex phpinfo.php
              DirectoryIndexRedirect permanent
              Order deny,allow
              Allow from all
       </location>



</VirtualHost>



log shows:

[Tue Jun 29 19:15:43.024571 2021] [socache_shmcb:debug] [pid 241359] 
mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0xae -> 
subcache 14)
[Tue Jun 29 19:15:43.024597 2021] [socache_shmcb:debug] [pid 241359] 
mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:43.024605 2021] [socache_shmcb:debug] [pid 241359] 
mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve 
successfully
[Tue Jun 29 19:15:43.024632 2021] [ssl:debug] [pid 241359] 
ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching 
SSL virtual host for servername localhost found (using default/first 
virtual host)
[Tue Jun 29 19:15:43.024700 2021] [ssl:debug] [pid 241359] 
ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching 
SSL virtual host for servername localhost found (using default/first 
virtual host)
[Tue Jun 29 19:15:43.024711 2021] [core:debug] [pid 241359] 
protocol.c(2313): [client 127.0.0.1:57022] AH03155: select protocol from 
, choices=h2,http/1.1 for server hp15pw
[Tue Jun 29 19:15:43.026143 2021] [ssl:info] [pid 241355] [client 
127.0.0.1:57024] AH01964: Connection to child 0 established (server 
hp15pw:443)
[Tue Jun 29 19:15:43.026407 2021] [socache_shmcb:debug] [pid 241355] 
mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x07 -> 
subcache 7)
[Tue Jun 29 19:15:43.026424 2021] [socache_shmcb:debug] [pid 241355] 
mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:43.026429 2021] [socache_shmcb:debug] [pid 241355] 
mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve 
successfully
[Tue Jun 29 19:15:43.026449 2021] [ssl:debug] [pid 241355] 
ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching 
SSL virtual host for servername localhost found (using default/first 
virtual host)
[Tue Jun 29 19:15:43.026489 2021] [ssl:debug] [pid 241355] 
ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching 
SSL virtual host for servername localhost found (using default/first 
virtual host)
[Tue Jun 29 19:15:43.026497 2021] [core:debug] [pid 241355] 
protocol.c(2313): [client 127.0.0.1:57024] AH03155: select protocol from 
, choices=h2,http/1.1 for server hp15pw
[Tue Jun 29 19:15:43.321198 2021] [ssl:debug] [pid 241359] 
ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: 
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.323322 2021] [ssl:debug] [pid 241359] 
ssl_engine_kernel.c(415): [client 127.0.0.1:57022] AH02034: Initial 
(No.1) HTTPS request received for child 4 (server hp15pw:443)
[Tue Jun 29 19:15:43.323413 2021] [ssl:debug] [pid 241355] 
ssl_engine_kernel.c(2254): [client 127.0.0.1:57024] AH02041: Protocol: 
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.323733 2021] [ssl:debug] [pid 241359] 
ssl_engine_kernel.c(782): [client 127.0.0.1:57022] AH02255: Changed 
client verification type will force renegotiation
[Tue Jun 29 19:15:43.323837 2021] [ssl:info] [pid 241359] [client 
127.0.0.1:57022] AH02221: Requesting connection re-negotiation
[Tue Jun 29 19:15:43.323893 2021] [ssl:debug] [pid 241359] 
ssl_engine_kernel.c(984): [client 127.0.0.1:57022] AH02260: Performing 
full renegotiation: complete handshake protocol (client does support 
secure renegotiation)
[Tue Jun 29 19:15:43.324148 2021] [ssl:debug] [pid 241359] 
ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: 
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.324265 2021] [ssl:info] [pid 241359] [client 
127.0.0.1:57022] AH02226: Awaiting re-negotiation handshake
[Tue Jun 29 19:15:43.324869 2021] [ssl:debug] [pid 241359] 
ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching 
SSL virtual host for servername localhost found (using default/first 
virtual host)
[Tue Jun 29 19:15:43.331104 2021] [ssl:error] [pid 241359] [client 
127.0.0.1:57022] AH02261: Re-negotiation handshake failed
[Tue Jun 29 19:15:43.331256 2021] [ssl:debug] [pid 241359] 
ssl_engine_io.c(1368): (70014)End of file found: [client 
127.0.0.1:57022] AH02007: SSL handshake interrupted by system [Hint: 
Stop button pressed in browser?!]
[Tue Jun 29 19:15:43.331328 2021] [ssl:info] [pid 241359] [client 
127.0.0.1:57022] AH01998: Connection closed to child 4 with abortive 
shutdown (server hp15pw:443)
[Tue Jun 29 19:15:45.526753 2021] [ssl:info] [pid 241355] (70014)End of 
file found: [client 127.0.0.1:57024] AH01991: SSL input filter read failed.
[Tue Jun 29 19:15:45.527179 2021] [ssl:debug] [pid 241355] 
ssl_engine_io.c(1102): [client 127.0.0.1:57024] AH02001: Connection 
closed to child 0 with standard shutdown (server hp15pw:443)
[Tue Jun 29 19:15:45.537952 2021] [ssl:info] [pid 241357] [client 
127.0.0.1:57026] AH01964: Connection to child 2 established (server 
hp15pw:443)
[Tue Jun 29 19:15:45.538859 2021] [socache_shmcb:debug] [pid 241357] 
mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x68 -> 
subcache 8)
[Tue Jun 29 19:15:45.538910 2021] [socache_shmcb:debug] [pid 241357] 
mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:45.538929 2021] [socache_shmcb:debug] [pid 241357] 
mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve 
successfully
[Tue Jun 29 19:15:45.538994 2021] [ssl:debug] [pid 241357] 
ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching 
SSL virtual host for servername localhost found (using default/first 
virtual host)
[Tue Jun 29 19:15:45.539162 2021] [ssl:debug] [pid 241357] 
ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching 
SSL virtual host for servername localhost found (using default/first 
virtual host)
[Tue Jun 29 19:15:45.539188 2021] [core:debug] [pid 241357] 
protocol.c(2313): [client 127.0.0.1:57026] AH03155: select protocol from 
, choices=h2,http/1.1 for server hp15pw
[Tue Jun 29 19:15:45.574552 2021] [ssl:debug] [pid 241357] 
ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: 
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:45.589868 2021] [ssl:debug] [pid 241357] 
ssl_engine_kernel.c(415): [client 127.0.0.1:57026] AH02034: Initial 
(No.1) HTTPS request received for child 2 (server hp15pw:443)
[Tue Jun 29 19:15:45.590043 2021] [ssl:debug] [pid 241357] 
ssl_engine_kernel.c(782): [client 127.0.0.1:57026] AH02255: Changed 
client verification type will force renegotiation
[Tue Jun 29 19:15:45.590051 2021] [ssl:info] [pid 241357] [client 
127.0.0.1:57026] AH02221: Requesting connection re-negotiation
[Tue Jun 29 19:15:45.590124 2021] [ssl:debug] [pid 241357] 
ssl_engine_kernel.c(984): [client 127.0.0.1:57026] AH02260: Performing 
full renegotiation: complete handshake protocol (client does support 
secure renegotiation)
[Tue Jun 29 19:15:45.590251 2021] [ssl:debug] [pid 241357] 
ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: 
TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:45.590261 2021] [ssl:info] [pid 241357] [client 
127.0.0.1:57026] AH02226: Awaiting re-negotiation handshake
[Tue Jun 29 19:15:45.590535 2021] [ssl:debug] [pid 241357] 
ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching 
SSL virtual host for servername localhost found (using default/first 
virtual host)
[Tue Jun 29 19:15:45.592237 2021] [socache_shmcb:debug] [pid 241357] 
mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0x4c -> 
subcache 12)
[Tue Jun 29 19:15:45.592290 2021] [socache_shmcb:debug] [pid 241357] 
mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully
[Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client 
127.0.0.1:57026] AH02261: Re-negotiation handshake failed
[Tue Jun 29 19:15:45.592456 2021] [ssl:error] [pid 241357] SSL Library 
Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer 
did not return a certificate -- No CAs known to server for verification?
[Tue Jun 29 19:15:45.592643 2021] [ssl:debug] [pid 241357] 
ssl_engine_io.c(1368): [client 127.0.0.1:57026] AH02007: SSL handshake 
interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Jun 29 19:15:45.592662 2021] [ssl:info] [pid 241357] [client 
127.0.0.1:57026] AH01998: Connection closed to child 2 with abortive 
shutdown (server hp15pw:443)
root at hp15pw:/var/log/apache2#

Any cue? I'm not being able to find out what is wrong.

Thx in advance.





More information about the openssl-users mailing list