client certificate error

Paulo Wollny ppjjvvww at gmail.com
Wed Jun 30 13:22:25 UTC 2021


Hi,

thank you for the answer.

can you please point the right direction for solution, please?

Regarding the "look suspicious - it means your client is connecting from 
127.0.0.1 and your server is also listening on 127.0.0.1 ; is this 
really what you have in mind? "  i'm testin on my local system, having 
apache server and browser (chrome) on the same system.

And yes, the server cetificate have localhost as DNS alias.

Again, thank you so much.

PW

Am 30.06.21 um 05:32 schrieb Jan Just Keijser:
> Hi,
> 
> On 30/06/21 00:23, Paulo Wollny wrote:
>> Dear @ll
>>
>> My environment:
>>
>> OpenSSL 1.1.1f  31 Mar 2020
>>
>> Ubuntu 20.04
>>
>> Server version: Apache/2.4.41 (Ubuntu)
>> Server built:   2021-06-17T18:27:53
>>
>> My problem:
>>
>> connecting to a secure server requiring client certificate, i get the 
>> following error when presenting my certificate:
>>
>> ERR_BAD_SSL_CLIENT_AUTH_CERT
>>
>> It started to fail after the previous one voided and i issued a new one.
>>
>> CA, the same, server cert, renewed after previous voided.
>>
> 
> this is an apache/mod_ssl issue and has little to do with openssl; from 
> reading the logs the lines
> 
> [Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client 
> 127.0.0.1:57026] AH02261: Re-negotiation handshake failed
> 
> look suspicious - it means your client is connecting from 127.0.0.1 and 
> your server is also listening on 127.0.0.1 ; is this really what you 
> have in mind?
> 
> But again, this is an apache httpd/mod_sssl issue and does not belong on 
> this list.
> 
> JJK
> 
>> My server conf:
>>
>> <VirtualHost *:443>
>>                 ServerAdmin webmaster at localhost
>>
>>                 DocumentRoot /home/www/
>>
>>                 # Available loglevels: trace8, ..., trace1, debug, 
>> info, notice, warn,
>>                 # error, crit, alert, emerg.
>>                 # It is also possible to configure the loglevel for 
>> particular
>>                 # modules, e.g.
>>                 #LogLevel info ssl:warn
>>
>>                 ErrorLog /var/log/apache2/ssl_engine.log
>>                 LogLevel debug
>>
>>                 #ErrorLog ${APACHE_LOG_DIR}/error.log
>>                 CustomLog ${APACHE_LOG_DIR}/access.log combined
>>
>>                 # For most configuration files from conf-available/, 
>> which are
>>                 # enabled or disabled at a global level, it is 
>> possible to
>>                 # include a line for only one particular virtual host. 
>> For example the
>>                 # following line enables the CGI configuration for 
>> this host only
>>                 # after it has been globally disabled with "a2disconf".
>>                 #Include conf-available/serve-cgi-bin.conf
>>
>>                 #   SSL Engine Switch:
>>                 #   Enable/Disable SSL for this virtual host.
>>                 SSLEngine on
>>
>>                 SSLProtocol all -SSLv3 -TLSv1.3
>>                 #SSLProtocol all
>>                 #SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
>>                 SSLHonorCipherOrder on
>>                 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
>> EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
>> EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW 
>> !3DES !MD5 !EXP !PSK !SRP !DSS"
>>
>>                 #   A self-signed (snakeoil) certificate can be 
>> created by installing
>>                 #   the ssl-cert package. See
>>                 #   /usr/share/doc/apache2/README.Debian.gz for more 
>> info.
>>                 #   If both key and certificate are stored in the same 
>> file, only the
>>                 #   SSLCertificateFile directive is needed.
>>                 SSLCertificateFile /etc/ssl/private/server.crt
>>                 SSLCertificateKeyFile /etc/ssl/private/server.key
>>                 SSLCACertificatePath /etc/ssl/certs/
>>                 #SSLCACertificateFile 
>> /etc/ssl/certs/PSign_TrustCenter_Root_CA-I.pem
>>                 SSLCACertificateFile /etc/ssl/private/fullchain.crt
>>
>>
>>                 #   Server Certificate Chain:
>>                 #   Point SSLCertificateChainFile at a file containing 
>> the
>>                 #   concatenation of PEM encoded CA certificates which 
>> form the
>>                 #   certificate chain for the server certificate. 
>> Alternatively
>>                 #   the referenced file can be the same as 
>> SSLCertificateFile
>>                 #   when the CA certificates are directly appended to 
>> the server
>>                 #   certificate for convinience.
>>                 #SSLCertificateChainFile 
>> /etc/apache2/ssl.crt/server-ca.crt
>>
>>                 #   Certificate Authority (CA):
>>                 #   Set the CA certificate verification path where to 
>> find CA
>>                 #   certificates for client authentication or 
>> alternatively one
>>                 #   huge file containing all of them (file must be PEM 
>> encoded)
>>                 #   Note: Inside SSLCACertificatePath you need hash 
>> symlinks
>>                 #                to point to the certificate files. 
>> Use the provided
>>                 #                Makefile to update the hash symlinks 
>> after changes.
>>                 #SSLCACertificatePath /etc/ssl/certs/
>>                 #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
>>
>>                 #   Certificate Revocation Lists (CRL):
>>                 #   Set the CA revocation path where to find CA CRLs 
>> for client
>>                 #   authentication or alternatively one huge file 
>> containing all
>>                 #   of them (file must be PEM encoded)
>>                 #   Note: Inside SSLCARevocationPath you need hash 
>> symlinks
>>                 #                to point to the certificate files. 
>> Use the provided
>>                 #                Makefile to update the hash symlinks 
>> after changes.
>>                 #SSLCARevocationPath /etc/apache2/ssl.crl/
>>                 #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
>>
>>                 #   Client Authentication (Type):
>>                 #   Client certificate verification type and depth. 
>> Types are
>>                 #   none, optional, require and optional_no_ca. Depth 
>> is a
>>                 #   number which specifies how deeply to verify the 
>> certificate
>>                 #   issuer chain before deciding the certificate is 
>> not valid.
>>                 #SSLVerifyClient require
>>                 #SSLVerifyDepth  10
>>
>>                 #   SSL Engine Options:
>>                 #   Set various options for the SSL engine.
>>                 #   o FakeBasicAuth:
>>                 #        Translate the client X.509 into a Basic 
>> Authorisation.  This means that
>>                 #        the standard Auth/DBMAuth methods can be used 
>> for access control.  The
>>                 #        user name is the `one line' version of the 
>> client's X.509 certificate.
>>                 #        Note that no password is obtained from the 
>> user. Every entry in the user
>>                 #        file needs this password: `xxj31ZMTZzkVA'.
>>                 #   o ExportCertData:
>>                 #        This exports two additional environment 
>> variables: SSL_CLIENT_CERT and
>>                 #        SSL_SERVER_CERT. These contain the 
>> PEM-encoded certificates of the
>>                 #        server (always existing) and the client (only 
>> existing when client
>>                 #        authentication is used). This can be used to 
>> import the certificates
>>                 #        into CGI scripts.
>>                 #   o StdEnvVars:
>>                 #        This exports the standard SSL/TLS related 
>> `SSL_*' environment variables.
>>                 #        Per default this exportation is switched off 
>> for performance reasons,
>>                 #        because the extraction step is an expensive 
>> operation and is usually
>>                 #        useless for serving static content. So one 
>> usually enables the
>>                 #        exportation for CGI and SSI requests only.
>>                 #   o OptRenegotiate:
>>                 #        This enables optimized SSL connection 
>> renegotiation handling when SSL
>>                 #        directives are used in per-directory context.
>>                 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
>>                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
>>                                 SSLOptions +StdEnvVars
>>                 </FilesMatch>
>>                 <Directory /usr/lib/cgi-bin>
>>                                 SSLOptions +StdEnvVars
>>                 </Directory>
>>
>>                 #   SSL Protocol Adjustments:
>>                 #   The safe and default but still SSL/TLS standard 
>> compliant shutdown
>>                 #   approach is that mod_ssl sends the close notify 
>> alert but doesn't wait for
>>                 #   the close notify alert from client. When you need 
>> a different shutdown
>>                 #   approach you can use one of the following variables:
>>                 #   o ssl-unclean-shutdown:
>>                 #        This forces an unclean shutdown when the 
>> connection is closed, i.e. no
>>                 #        SSL close notify alert is send or allowed to 
>> received.  This violates
>>                 #        the SSL/TLS standard but is needed for some 
>> brain-dead browsers. Use
>>                 #        this when you receive I/O errors because of 
>> the standard approach where
>>                 #        mod_ssl sends the close notify alert.
>>                 #   o ssl-accurate-shutdown:
>>                 #        This forces an accurate shutdown when the 
>> connection is closed, i.e. a
>>                 #        SSL close notify alert is send and mod_ssl 
>> waits for the close notify
>>                 #        alert of the client. This is 100% SSL/TLS 
>> standard compliant, but in
>>                 #        practice often causes hanging connections 
>> with brain-dead browsers. Use
>>                 #        this only for browsers where you know that 
>> their SSL implementation
>>                 #        works correctly.
>>                 #   Notice: Most problems of broken clients are also 
>> related to the HTTP
>>                 #   keep-alive facility, so you usually additionally 
>> want to disable
>>                 #   keep-alive for those clients, too. Use variable 
>> "nokeepalive" for this.
>>                 #   Similarly, one has to force some clients to use 
>> HTTP/1.0 to workaround
>>                 #   their broken HTTP/1.1 implementation. Use 
>> variables "downgrade-1.0" and
>>                 #   "force-response-1.0" for this.
>>                 # BrowserMatch "MSIE [2-6]" \
>>                 #               nokeepalive ssl-unclean-shutdown \
>>                 #               downgrade-1.0 force-response-1.0
>>
>>
>> # private
>>        Alias /ssl/ /home/www/html-ssl-certs/
>>        <location /ssl/>
>>              SSLVerifyClient require
>>              SSLVerifyDepth       5
>>              SSLOptions +StdEnvVars +ExportCertData
>>              AuthType Basic
>>              AuthName "Protected User access required"
>>              AuthUserFile /etc/apache2/.htpasswd
>>              Require valid-user
>>              DirectoryIndex phpinfo.php
>>              DirectoryIndexRedirect permanent
>>              Order deny,allow
>>              Allow from all
>>       </location>
>>
>>
>>
>> </VirtualHost>
>>
>>
>>
>> log shows:
>>
>> [Tue Jun 29 19:15:43.024571 2021] [socache_shmcb:debug] [pid 241359] 
>> mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0xae -> 
>> subcache 14)
>> [Tue Jun 29 19:15:43.024597 2021] [socache_shmcb:debug] [pid 241359] 
>> mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
>> [Tue Jun 29 19:15:43.024605 2021] [socache_shmcb:debug] [pid 241359] 
>> mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve 
>> successfully
>> [Tue Jun 29 19:15:43.024632 2021] [ssl:debug] [pid 241359] 
>> ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No 
>> matching SSL virtual host for servername localhost found (using 
>> default/first virtual host)
>> [Tue Jun 29 19:15:43.024700 2021] [ssl:debug] [pid 241359] 
>> ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No 
>> matching SSL virtual host for servername localhost found (using 
>> default/first virtual host)
>> [Tue Jun 29 19:15:43.024711 2021] [core:debug] [pid 241359] 
>> protocol.c(2313): [client 127.0.0.1:57022] AH03155: select protocol 
>> from , choices=h2,http/1.1 for server hp15pw
>> [Tue Jun 29 19:15:43.026143 2021] [ssl:info] [pid 241355] [client 
>> 127.0.0.1:57024] AH01964: Connection to child 0 established (server 
>> hp15pw:443)
>> [Tue Jun 29 19:15:43.026407 2021] [socache_shmcb:debug] [pid 241355] 
>> mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x07 -> 
>> subcache 7)
>> [Tue Jun 29 19:15:43.026424 2021] [socache_shmcb:debug] [pid 241355] 
>> mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
>> [Tue Jun 29 19:15:43.026429 2021] [socache_shmcb:debug] [pid 241355] 
>> mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve 
>> successfully
>> [Tue Jun 29 19:15:43.026449 2021] [ssl:debug] [pid 241355] 
>> ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No 
>> matching SSL virtual host for servername localhost found (using 
>> default/first virtual host)
>> [Tue Jun 29 19:15:43.026489 2021] [ssl:debug] [pid 241355] 
>> ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No 
>> matching SSL virtual host for servername localhost found (using 
>> default/first virtual host)
>> [Tue Jun 29 19:15:43.026497 2021] [core:debug] [pid 241355] 
>> protocol.c(2313): [client 127.0.0.1:57024] AH03155: select protocol 
>> from , choices=h2,http/1.1 for server hp15pw
>> [Tue Jun 29 19:15:43.321198 2021] [ssl:debug] [pid 241359] 
>> ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: 
>> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
>> [Tue Jun 29 19:15:43.323322 2021] [ssl:debug] [pid 241359] 
>> ssl_engine_kernel.c(415): [client 127.0.0.1:57022] AH02034: Initial 
>> (No.1) HTTPS request received for child 4 (server hp15pw:443)
>> [Tue Jun 29 19:15:43.323413 2021] [ssl:debug] [pid 241355] 
>> ssl_engine_kernel.c(2254): [client 127.0.0.1:57024] AH02041: Protocol: 
>> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
>> [Tue Jun 29 19:15:43.323733 2021] [ssl:debug] [pid 241359] 
>> ssl_engine_kernel.c(782): [client 127.0.0.1:57022] AH02255: Changed 
>> client verification type will force renegotiation
>> [Tue Jun 29 19:15:43.323837 2021] [ssl:info] [pid 241359] [client 
>> 127.0.0.1:57022] AH02221: Requesting connection re-negotiation
>> [Tue Jun 29 19:15:43.323893 2021] [ssl:debug] [pid 241359] 
>> ssl_engine_kernel.c(984): [client 127.0.0.1:57022] AH02260: Performing 
>> full renegotiation: complete handshake protocol (client does support 
>> secure renegotiation)
>> [Tue Jun 29 19:15:43.324148 2021] [ssl:debug] [pid 241359] 
>> ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: 
>> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
>> [Tue Jun 29 19:15:43.324265 2021] [ssl:info] [pid 241359] [client 
>> 127.0.0.1:57022] AH02226: Awaiting re-negotiation handshake
>> [Tue Jun 29 19:15:43.324869 2021] [ssl:debug] [pid 241359] 
>> ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No 
>> matching SSL virtual host for servername localhost found (using 
>> default/first virtual host)
>> [Tue Jun 29 19:15:43.331104 2021] [ssl:error] [pid 241359] [client 
>> 127.0.0.1:57022] AH02261: Re-negotiation handshake failed
>> [Tue Jun 29 19:15:43.331256 2021] [ssl:debug] [pid 241359] 
>> ssl_engine_io.c(1368): (70014)End of file found: [client 
>> 127.0.0.1:57022] AH02007: SSL handshake interrupted by system [Hint: 
>> Stop button pressed in browser?!]
>> [Tue Jun 29 19:15:43.331328 2021] [ssl:info] [pid 241359] [client 
>> 127.0.0.1:57022] AH01998: Connection closed to child 4 with abortive 
>> shutdown (server hp15pw:443)
>> [Tue Jun 29 19:15:45.526753 2021] [ssl:info] [pid 241355] (70014)End 
>> of file found: [client 127.0.0.1:57024] AH01991: SSL input filter read 
>> failed.
>> [Tue Jun 29 19:15:45.527179 2021] [ssl:debug] [pid 241355] 
>> ssl_engine_io.c(1102): [client 127.0.0.1:57024] AH02001: Connection 
>> closed to child 0 with standard shutdown (server hp15pw:443)
>> [Tue Jun 29 19:15:45.537952 2021] [ssl:info] [pid 241357] [client 
>> 127.0.0.1:57026] AH01964: Connection to child 2 established (server 
>> hp15pw:443)
>> [Tue Jun 29 19:15:45.538859 2021] [socache_shmcb:debug] [pid 241357] 
>> mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x68 -> 
>> subcache 8)
>> [Tue Jun 29 19:15:45.538910 2021] [socache_shmcb:debug] [pid 241357] 
>> mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
>> [Tue Jun 29 19:15:45.538929 2021] [socache_shmcb:debug] [pid 241357] 
>> mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve 
>> successfully
>> [Tue Jun 29 19:15:45.538994 2021] [ssl:debug] [pid 241357] 
>> ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No 
>> matching SSL virtual host for servername localhost found (using 
>> default/first virtual host)
>> [Tue Jun 29 19:15:45.539162 2021] [ssl:debug] [pid 241357] 
>> ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No 
>> matching SSL virtual host for servername localhost found (using 
>> default/first virtual host)
>> [Tue Jun 29 19:15:45.539188 2021] [core:debug] [pid 241357] 
>> protocol.c(2313): [client 127.0.0.1:57026] AH03155: select protocol 
>> from , choices=h2,http/1.1 for server hp15pw
>> [Tue Jun 29 19:15:45.574552 2021] [ssl:debug] [pid 241357] 
>> ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: 
>> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
>> [Tue Jun 29 19:15:45.589868 2021] [ssl:debug] [pid 241357] 
>> ssl_engine_kernel.c(415): [client 127.0.0.1:57026] AH02034: Initial 
>> (No.1) HTTPS request received for child 2 (server hp15pw:443)
>> [Tue Jun 29 19:15:45.590043 2021] [ssl:debug] [pid 241357] 
>> ssl_engine_kernel.c(782): [client 127.0.0.1:57026] AH02255: Changed 
>> client verification type will force renegotiation
>> [Tue Jun 29 19:15:45.590051 2021] [ssl:info] [pid 241357] [client 
>> 127.0.0.1:57026] AH02221: Requesting connection re-negotiation
>> [Tue Jun 29 19:15:45.590124 2021] [ssl:debug] [pid 241357] 
>> ssl_engine_kernel.c(984): [client 127.0.0.1:57026] AH02260: Performing 
>> full renegotiation: complete handshake protocol (client does support 
>> secure renegotiation)
>> [Tue Jun 29 19:15:45.590251 2021] [ssl:debug] [pid 241357] 
>> ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: 
>> TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
>> [Tue Jun 29 19:15:45.590261 2021] [ssl:info] [pid 241357] [client 
>> 127.0.0.1:57026] AH02226: Awaiting re-negotiation handshake
>> [Tue Jun 29 19:15:45.590535 2021] [ssl:debug] [pid 241357] 
>> ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No 
>> matching SSL virtual host for servername localhost found (using 
>> default/first virtual host)
>> [Tue Jun 29 19:15:45.592237 2021] [socache_shmcb:debug] [pid 241357] 
>> mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0x4c -> 
>> subcache 12)
>> [Tue Jun 29 19:15:45.592290 2021] [socache_shmcb:debug] [pid 241357] 
>> mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove 
>> successfully
>> [Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client 
>> 127.0.0.1:57026] AH02261: Re-negotiation handshake failed
>> [Tue Jun 29 19:15:45.592456 2021] [ssl:error] [pid 241357] SSL Library 
>> Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer 
>> did not return a certificate -- No CAs known to server for verification?
>> [Tue Jun 29 19:15:45.592643 2021] [ssl:debug] [pid 241357] 
>> ssl_engine_io.c(1368): [client 127.0.0.1:57026] AH02007: SSL handshake 
>> interrupted by system [Hint: Stop button pressed in browser?!]
>> [Tue Jun 29 19:15:45.592662 2021] [ssl:info] [pid 241357] [client 
>> 127.0.0.1:57026] AH01998: Connection closed to child 2 with abortive 
>> shutdown (server hp15pw:443)
>> root at hp15pw:/var/log/apache2#
>>
>> Any cue? I'm not being able to find out what is wrong.
>>
>> Thx in advance.
>>
>>
>>
> 


More information about the openssl-users mailing list