client certificate error
Jan Just Keijser
janjust at nikhef.nl
Wed Jun 30 08:32:58 UTC 2021
Hi,
On 30/06/21 00:23, Paulo Wollny wrote:
> Dear @ll
>
> My environment:
>
> OpenSSL 1.1.1f 31 Mar 2020
>
> Ubuntu 20.04
>
> Server version: Apache/2.4.41 (Ubuntu)
> Server built: 2021-06-17T18:27:53
>
> My problem:
>
> connecting to a secure server requiring client certificate, i get the
> following error when presenting my certificate:
>
> ERR_BAD_SSL_CLIENT_AUTH_CERT
>
> It started to fail after the previous one voided and i issued a new one.
>
> CA, the same, server cert, renewed after previous voided.
>
this is an apache/mod_ssl issue and has little to do with openssl; from
reading the logs the lines
[Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client
127.0.0.1:57026] AH02261: Re-negotiation handshake failed
look suspicious - it means your client is connecting from 127.0.0.1 and
your server is also listening on 127.0.0.1 ; is this really what you
have in mind?
But again, this is an apache httpd/mod_sssl issue and does not belong on
this list.
JJK
> My server conf:
>
> <VirtualHost *:443>
> ServerAdmin webmaster at localhost
>
> DocumentRoot /home/www/
>
> # Available loglevels: trace8, ..., trace1, debug,
> info, notice, warn,
> # error, crit, alert, emerg.
> # It is also possible to configure the loglevel for
> particular
> # modules, e.g.
> #LogLevel info ssl:warn
>
> ErrorLog /var/log/apache2/ssl_engine.log
> LogLevel debug
>
> #ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
>
> # For most configuration files from conf-available/,
> which are
> # enabled or disabled at a global level, it is
> possible to
> # include a line for only one particular virtual host.
> For example the
> # following line enables the CGI configuration for
> this host only
> # after it has been globally disabled with "a2disconf".
> #Include conf-available/serve-cgi-bin.conf
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
>
> SSLProtocol all -SSLv3 -TLSv1.3
> #SSLProtocol all
> #SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
> SSLHonorCipherOrder on
> SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
> EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
> EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW
> !3DES !MD5 !EXP !PSK !SRP !DSS"
>
> # A self-signed (snakeoil) certificate can be
> created by installing
> # the ssl-cert package. See
> # /usr/share/doc/apache2/README.Debian.gz for more
> info.
> # If both key and certificate are stored in the same
> file, only the
> # SSLCertificateFile directive is needed.
> SSLCertificateFile /etc/ssl/private/server.crt
> SSLCertificateKeyFile /etc/ssl/private/server.key
> SSLCACertificatePath /etc/ssl/certs/
> #SSLCACertificateFile
> /etc/ssl/certs/PSign_TrustCenter_Root_CA-I.pem
> SSLCACertificateFile /etc/ssl/private/fullchain.crt
>
>
> # Server Certificate Chain:
> # Point SSLCertificateChainFile at a file containing
> the
> # concatenation of PEM encoded CA certificates which
> form the
> # certificate chain for the server certificate.
> Alternatively
> # the referenced file can be the same as
> SSLCertificateFile
> # when the CA certificates are directly appended to
> the server
> # certificate for convinience.
> #SSLCertificateChainFile
> /etc/apache2/ssl.crt/server-ca.crt
>
> # Certificate Authority (CA):
> # Set the CA certificate verification path where to
> find CA
> # certificates for client authentication or
> alternatively one
> # huge file containing all of them (file must be PEM
> encoded)
> # Note: Inside SSLCACertificatePath you need hash
> symlinks
> # to point to the certificate files.
> Use the provided
> # Makefile to update the hash symlinks
> after changes.
> #SSLCACertificatePath /etc/ssl/certs/
> #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
>
> # Certificate Revocation Lists (CRL):
> # Set the CA revocation path where to find CA CRLs
> for client
> # authentication or alternatively one huge file
> containing all
> # of them (file must be PEM encoded)
> # Note: Inside SSLCARevocationPath you need hash
> symlinks
> # to point to the certificate files.
> Use the provided
> # Makefile to update the hash symlinks
> after changes.
> #SSLCARevocationPath /etc/apache2/ssl.crl/
> #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
>
> # Client Authentication (Type):
> # Client certificate verification type and depth.
> Types are
> # none, optional, require and optional_no_ca. Depth
> is a
> # number which specifies how deeply to verify the
> certificate
> # issuer chain before deciding the certificate is
> not valid.
> #SSLVerifyClient require
> #SSLVerifyDepth 10
>
> # SSL Engine Options:
> # Set various options for the SSL engine.
> # o FakeBasicAuth:
> # Translate the client X.509 into a Basic
> Authorisation. This means that
> # the standard Auth/DBMAuth methods can be used
> for access control. The
> # user name is the `one line' version of the
> client's X.509 certificate.
> # Note that no password is obtained from the
> user. Every entry in the user
> # file needs this password: `xxj31ZMTZzkVA'.
> # o ExportCertData:
> # This exports two additional environment
> variables: SSL_CLIENT_CERT and
> # SSL_SERVER_CERT. These contain the
> PEM-encoded certificates of the
> # server (always existing) and the client (only
> existing when client
> # authentication is used). This can be used to
> import the certificates
> # into CGI scripts.
> # o StdEnvVars:
> # This exports the standard SSL/TLS related
> `SSL_*' environment variables.
> # Per default this exportation is switched off
> for performance reasons,
> # because the extraction step is an expensive
> operation and is usually
> # useless for serving static content. So one
> usually enables the
> # exportation for CGI and SSI requests only.
> # o OptRenegotiate:
> # This enables optimized SSL connection
> renegotiation handling when SSL
> # directives are used in per-directory context.
> #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
> <FilesMatch "\.(cgi|shtml|phtml|php)$">
> SSLOptions +StdEnvVars
> </FilesMatch>
> <Directory /usr/lib/cgi-bin>
> SSLOptions +StdEnvVars
> </Directory>
>
> # SSL Protocol Adjustments:
> # The safe and default but still SSL/TLS standard
> compliant shutdown
> # approach is that mod_ssl sends the close notify
> alert but doesn't wait for
> # the close notify alert from client. When you need
> a different shutdown
> # approach you can use one of the following variables:
> # o ssl-unclean-shutdown:
> # This forces an unclean shutdown when the
> connection is closed, i.e. no
> # SSL close notify alert is send or allowed to
> received. This violates
> # the SSL/TLS standard but is needed for some
> brain-dead browsers. Use
> # this when you receive I/O errors because of
> the standard approach where
> # mod_ssl sends the close notify alert.
> # o ssl-accurate-shutdown:
> # This forces an accurate shutdown when the
> connection is closed, i.e. a
> # SSL close notify alert is send and mod_ssl
> waits for the close notify
> # alert of the client. This is 100% SSL/TLS
> standard compliant, but in
> # practice often causes hanging connections
> with brain-dead browsers. Use
> # this only for browsers where you know that
> their SSL implementation
> # works correctly.
> # Notice: Most problems of broken clients are also
> related to the HTTP
> # keep-alive facility, so you usually additionally
> want to disable
> # keep-alive for those clients, too. Use variable
> "nokeepalive" for this.
> # Similarly, one has to force some clients to use
> HTTP/1.0 to workaround
> # their broken HTTP/1.1 implementation. Use
> variables "downgrade-1.0" and
> # "force-response-1.0" for this.
> # BrowserMatch "MSIE [2-6]" \
> # nokeepalive ssl-unclean-shutdown \
> # downgrade-1.0 force-response-1.0
>
>
> # private
> Alias /ssl/ /home/www/html-ssl-certs/
> <location /ssl/>
> SSLVerifyClient require
> SSLVerifyDepth 5
> SSLOptions +StdEnvVars +ExportCertData
> AuthType Basic
> AuthName "Protected User access required"
> AuthUserFile /etc/apache2/.htpasswd
> Require valid-user
> DirectoryIndex phpinfo.php
> DirectoryIndexRedirect permanent
> Order deny,allow
> Allow from all
> </location>
>
>
>
> </VirtualHost>
>
>
>
> log shows:
>
> [Tue Jun 29 19:15:43.024571 2021] [socache_shmcb:debug] [pid 241359]
> mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0xae ->
> subcache 14)
> [Tue Jun 29 19:15:43.024597 2021] [socache_shmcb:debug] [pid 241359]
> mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
> [Tue Jun 29 19:15:43.024605 2021] [socache_shmcb:debug] [pid 241359]
> mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve
> successfully
> [Tue Jun 29 19:15:43.024632 2021] [ssl:debug] [pid 241359]
> ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No
> matching SSL virtual host for servername localhost found (using
> default/first virtual host)
> [Tue Jun 29 19:15:43.024700 2021] [ssl:debug] [pid 241359]
> ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No
> matching SSL virtual host for servername localhost found (using
> default/first virtual host)
> [Tue Jun 29 19:15:43.024711 2021] [core:debug] [pid 241359]
> protocol.c(2313): [client 127.0.0.1:57022] AH03155: select protocol
> from , choices=h2,http/1.1 for server hp15pw
> [Tue Jun 29 19:15:43.026143 2021] [ssl:info] [pid 241355] [client
> 127.0.0.1:57024] AH01964: Connection to child 0 established (server
> hp15pw:443)
> [Tue Jun 29 19:15:43.026407 2021] [socache_shmcb:debug] [pid 241355]
> mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x07 ->
> subcache 7)
> [Tue Jun 29 19:15:43.026424 2021] [socache_shmcb:debug] [pid 241355]
> mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
> [Tue Jun 29 19:15:43.026429 2021] [socache_shmcb:debug] [pid 241355]
> mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve
> successfully
> [Tue Jun 29 19:15:43.026449 2021] [ssl:debug] [pid 241355]
> ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No
> matching SSL virtual host for servername localhost found (using
> default/first virtual host)
> [Tue Jun 29 19:15:43.026489 2021] [ssl:debug] [pid 241355]
> ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No
> matching SSL virtual host for servername localhost found (using
> default/first virtual host)
> [Tue Jun 29 19:15:43.026497 2021] [core:debug] [pid 241355]
> protocol.c(2313): [client 127.0.0.1:57024] AH03155: select protocol
> from , choices=h2,http/1.1 for server hp15pw
> [Tue Jun 29 19:15:43.321198 2021] [ssl:debug] [pid 241359]
> ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol:
> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
> [Tue Jun 29 19:15:43.323322 2021] [ssl:debug] [pid 241359]
> ssl_engine_kernel.c(415): [client 127.0.0.1:57022] AH02034: Initial
> (No.1) HTTPS request received for child 4 (server hp15pw:443)
> [Tue Jun 29 19:15:43.323413 2021] [ssl:debug] [pid 241355]
> ssl_engine_kernel.c(2254): [client 127.0.0.1:57024] AH02041: Protocol:
> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
> [Tue Jun 29 19:15:43.323733 2021] [ssl:debug] [pid 241359]
> ssl_engine_kernel.c(782): [client 127.0.0.1:57022] AH02255: Changed
> client verification type will force renegotiation
> [Tue Jun 29 19:15:43.323837 2021] [ssl:info] [pid 241359] [client
> 127.0.0.1:57022] AH02221: Requesting connection re-negotiation
> [Tue Jun 29 19:15:43.323893 2021] [ssl:debug] [pid 241359]
> ssl_engine_kernel.c(984): [client 127.0.0.1:57022] AH02260: Performing
> full renegotiation: complete handshake protocol (client does support
> secure renegotiation)
> [Tue Jun 29 19:15:43.324148 2021] [ssl:debug] [pid 241359]
> ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol:
> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
> [Tue Jun 29 19:15:43.324265 2021] [ssl:info] [pid 241359] [client
> 127.0.0.1:57022] AH02226: Awaiting re-negotiation handshake
> [Tue Jun 29 19:15:43.324869 2021] [ssl:debug] [pid 241359]
> ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No
> matching SSL virtual host for servername localhost found (using
> default/first virtual host)
> [Tue Jun 29 19:15:43.331104 2021] [ssl:error] [pid 241359] [client
> 127.0.0.1:57022] AH02261: Re-negotiation handshake failed
> [Tue Jun 29 19:15:43.331256 2021] [ssl:debug] [pid 241359]
> ssl_engine_io.c(1368): (70014)End of file found: [client
> 127.0.0.1:57022] AH02007: SSL handshake interrupted by system [Hint:
> Stop button pressed in browser?!]
> [Tue Jun 29 19:15:43.331328 2021] [ssl:info] [pid 241359] [client
> 127.0.0.1:57022] AH01998: Connection closed to child 4 with abortive
> shutdown (server hp15pw:443)
> [Tue Jun 29 19:15:45.526753 2021] [ssl:info] [pid 241355] (70014)End
> of file found: [client 127.0.0.1:57024] AH01991: SSL input filter read
> failed.
> [Tue Jun 29 19:15:45.527179 2021] [ssl:debug] [pid 241355]
> ssl_engine_io.c(1102): [client 127.0.0.1:57024] AH02001: Connection
> closed to child 0 with standard shutdown (server hp15pw:443)
> [Tue Jun 29 19:15:45.537952 2021] [ssl:info] [pid 241357] [client
> 127.0.0.1:57026] AH01964: Connection to child 2 established (server
> hp15pw:443)
> [Tue Jun 29 19:15:45.538859 2021] [socache_shmcb:debug] [pid 241357]
> mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x68 ->
> subcache 8)
> [Tue Jun 29 19:15:45.538910 2021] [socache_shmcb:debug] [pid 241357]
> mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
> [Tue Jun 29 19:15:45.538929 2021] [socache_shmcb:debug] [pid 241357]
> mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve
> successfully
> [Tue Jun 29 19:15:45.538994 2021] [ssl:debug] [pid 241357]
> ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No
> matching SSL virtual host for servername localhost found (using
> default/first virtual host)
> [Tue Jun 29 19:15:45.539162 2021] [ssl:debug] [pid 241357]
> ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No
> matching SSL virtual host for servername localhost found (using
> default/first virtual host)
> [Tue Jun 29 19:15:45.539188 2021] [core:debug] [pid 241357]
> protocol.c(2313): [client 127.0.0.1:57026] AH03155: select protocol
> from , choices=h2,http/1.1 for server hp15pw
> [Tue Jun 29 19:15:45.574552 2021] [ssl:debug] [pid 241357]
> ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol:
> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
> [Tue Jun 29 19:15:45.589868 2021] [ssl:debug] [pid 241357]
> ssl_engine_kernel.c(415): [client 127.0.0.1:57026] AH02034: Initial
> (No.1) HTTPS request received for child 2 (server hp15pw:443)
> [Tue Jun 29 19:15:45.590043 2021] [ssl:debug] [pid 241357]
> ssl_engine_kernel.c(782): [client 127.0.0.1:57026] AH02255: Changed
> client verification type will force renegotiation
> [Tue Jun 29 19:15:45.590051 2021] [ssl:info] [pid 241357] [client
> 127.0.0.1:57026] AH02221: Requesting connection re-negotiation
> [Tue Jun 29 19:15:45.590124 2021] [ssl:debug] [pid 241357]
> ssl_engine_kernel.c(984): [client 127.0.0.1:57026] AH02260: Performing
> full renegotiation: complete handshake protocol (client does support
> secure renegotiation)
> [Tue Jun 29 19:15:45.590251 2021] [ssl:debug] [pid 241357]
> ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol:
> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
> [Tue Jun 29 19:15:45.590261 2021] [ssl:info] [pid 241357] [client
> 127.0.0.1:57026] AH02226: Awaiting re-negotiation handshake
> [Tue Jun 29 19:15:45.590535 2021] [ssl:debug] [pid 241357]
> ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No
> matching SSL virtual host for servername localhost found (using
> default/first virtual host)
> [Tue Jun 29 19:15:45.592237 2021] [socache_shmcb:debug] [pid 241357]
> mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0x4c ->
> subcache 12)
> [Tue Jun 29 19:15:45.592290 2021] [socache_shmcb:debug] [pid 241357]
> mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove
> successfully
> [Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client
> 127.0.0.1:57026] AH02261: Re-negotiation handshake failed
> [Tue Jun 29 19:15:45.592456 2021] [ssl:error] [pid 241357] SSL Library
> Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer
> did not return a certificate -- No CAs known to server for verification?
> [Tue Jun 29 19:15:45.592643 2021] [ssl:debug] [pid 241357]
> ssl_engine_io.c(1368): [client 127.0.0.1:57026] AH02007: SSL handshake
> interrupted by system [Hint: Stop button pressed in browser?!]
> [Tue Jun 29 19:15:45.592662 2021] [ssl:info] [pid 241357] [client
> 127.0.0.1:57026] AH01998: Connection closed to child 2 with abortive
> shutdown (server hp15pw:443)
> root at hp15pw:/var/log/apache2#
>
> Any cue? I'm not being able to find out what is wrong.
>
> Thx in advance.
>
>
>
More information about the openssl-users
mailing list