UPDATED :
I updated my CA to match the CA that my client certificate was issued from and my browser now prompts me to choose a certificate (and the correct certificate is listed) but the error "ERR_BAD_SSL_CLIENT_AUTH_CERT" persists.
OLD MESSAGE :
I need to make a certificate authentication with Apache.
My problem is that no certificate list pops up when the CA is set in Apache. However, not setting it brings the popup and allows me to select a certificate... but of course the authentication doesn't work and brings the following error :
ERR_BAD_SSL_CLIENT_AUTH_CERT
The configuration I have is the following :
ssl.conf :
SSLEngine on
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile /etc/httpd/ca.cer
SSLCARevocationFile /etc/httpd/crl.pem
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN
vhost :
Include ssl.conf
SSLCertificateFile /etc/httpd/sub.domain.crt
SSLCertificateKeyFile /etc/httpd/sub.domain.key
The CA is also installed on my computer along with my client certificate, ready to be used.
There's nothing in the logs, just a line mentionning a closed SSL connection.
Been searching for a while and I can't find what could be causing this.
Alright so first the SSLVerifyDepth parameter wasn't properly set. I was able to find this by checking Apache's ssl_error_log file.
And second, the log file was saying that the CRL was not reacheable. Even if set what I thought was the correct CRL... but I actualy forgot the CRL of the CA that is above the clients CA !
Thanks again for helping me with checking the CA, case closed !
Related
Error is "SSL Library Error: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate -- No CAs known to server for verification?"
Configuration:
SSLCertificateFile /etc/letsencrypt/live/mysite/fullchain.pem
SSLCertificateChainFile same as above
SSLCertificateKeyFile /etc/letsencrypt/live/mysite/privkey.pem
SSLCACertificateFile my own self-signed CA cert file appended to fullchain.pem
SSLVerifyDepth 10
I have verified my self-signed client cert against my self-signed CA, and installed it in my browser (Chrome and Firefox)
I have tried:
SSLCACertificateFile containing only my self-signed CA cert
without SSLCertificate ChainFile (which seems redundant to me)
but always get the same error.
LogLevel warn ssl:debug and LogLevel warn ssl:trace6 don't provide any further clues.
So, to debug this, I need to see the server-client conversation in plain text but, of course, the connection is encrypted.
What tools are available? How do the browser developers debug problems like this?
My site https://uberdice.com works fine for me with no SSL related errors or warnings.
However a few of my users have informed me they are getting SSL related warnings. I believe I have installed everything correctly. Below you can see the apache2.conf file:
<VirtualHost *:443>
DocumentRoot /var/www/
ServerName uberdice.com
SSLEngine on
SSLCertificateFile /path/uberdice.com.crt
SSLCertificateKeyFile /path/uberdice.com.key
SSLCertificateChainFile /path/intermediate.crt
</VirtualHost>
All files are in the same directory. I have also tried using the SSLCACertificateFile directive.
Yet when I run a check on: https://www.sslshopper.com/ssl-checker.html#hostname=https://uberdice.com it would appear to fail to connect to a root certificate. Presumably from a faulty intermediate certificate.
I am using RapidSSL and this bundle code for the intermediate certificate https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26464.
Does anyone have any ideas what is going wrong?
Thanks.
Your are sending the wrong intermediate certificates and it only works in your browser because you either have cached the right certificates from visits to other sites using the same chain or because the browser is actively downloading the missing certificates (Chrome on desktop might do, Firefox not).
Have a look at the trust path information in the analysis from SSLLabs and you will see:
Chain issues Incomplete, Extra certs
That's the problem you need to resolve, i.e. remove the wrong chain certificate and add the right one. For more information look at the "Certification Path" information in the analysis. In short: instead of "RapidSSL CA" you need "RapidSSL SHA256 CA - G3".
I am actually trying to see if Puppet can use external certificates because my organization's info security department has came out with a stronger security certificate that I've asked them for a set to see if it works or not. I still intend to have the puppetmaster issue certs, but the two certs to other agents by behaving the same thing as the normal way of the master issuing certs and autosign them.
The set comprises something like the following:
ABCROOTCA2015.pem – ABC Root CA 2015 certificate
ABCSERVERCA2015.pem – ABC Server CA 2015 certificate
puppet2-64.abc.local.p12 (server)
- private key and certificate of glpi-49.abc.local
- password: ###
glpi-49.abc.local.p12 (agent)
- private key and certificate of 10.5.137.175
- password: ###
Since external certs require Apache Passenger to work on this, I've installed the Apache passenger. These two certs above have been placed into their respective folders (/var/lib/puppet/ssl/certs and with another copy the server cert placed at the /private_keys folder.
Given of the two certificate files above, this is my configuration file, Apache end, stored at "/etc/apache2/sites-enabled/puppetmaster" (this is for Ubuntu)
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/mimosserverca2015.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/mimosserverca2015.pem
#SSLCertificateChainFile /var/lib/puppet/ssl/certs/mimosrootca2015.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/mimosrootca2015.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
#RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd>
Options None
AllowOverride None
# Apply the right behavior depending on Apache version.
Order allow,deny
Allow from all
</Directory>
#Misc
LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.53/xxx.so
PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.53
PassengerRuby /usr/bin/ruby1.8
ErrorLog /var/log/apache2/puppetmaster_ssl_error.log
CustomLog /var/log/apache2/puppetmaster_ssl_access.log combined
</VirtualHost>
For the puppet.conf at the puppetmaster. I only added the following additional lines:
[main]
ca_server = puppet2-64.mimos.local
[master]
ca = false
certname = mimosserverca2015
For one of the agents that is to be tested for this, I've added a ca_server thing in the agent's puppet configuration file. The webrick puppetmaster service has been turned off as the apache2 service has been turned on.
When the agent is executed, Error 400 is shown with the sub-message Master is not a CA.
If I've already defined the host and local root cert inside the puppetmaster file in apache2 folder, shouldn't I be getting the same function as it was usually?
Or is because that the puppetmaster will not take the custom certificate file as its own such that we have to rename that file?
So far I've checked around, but there's not much of material to be checked upon, unless there's steps that might not match my CA setup.
Can anyone help enlighten on this issue? Thanks alot!
M
The error Master is not a CA is caused by the certificate authority function on your Puppet master being disabled, which you're explicitly doing by specifying ca = false in puppet.conf under [master].
Using an external CA is well-covered in the SSL Configuration: External CA Support document. However it includes the following caveat, which is incompatible with your requirement that, "I still intend to have the puppetmaster issue certs, but the two certs to other agents by behaving the same thing as the normal way of the master issuing certs and autosign them."
These configurations are all-or-nothing rather than mix-and-match.
When using an external CA, the built in Puppet CA service must be
disabled and cannot be used to issue SSL certificates.
Additionally, Puppet cannot automatically distribute certificates in
these configurations — you must have your own complete system for
issuing and distributing certificates.
Simply put, when using an external CA with Puppet, you're responsible for signing and distributing the certificates.
(While you could try removing ca = false, it's quite possible that you'll run into problems as it's an unsupported configuration.)
If you put a signed agent cert on your agent system, either replacing the default paths or additionally specifying the host* configuration options, then the agent shouldn't attempt to use the (disabled) CA functions of the Puppet master.
Trying to setup SSL on Apache (on AWS Linux). Firefox gives me these details in it's nastygram:
The certificate is not trusted because it is self-signed.
The certificate is only valid for ip-###-##-#-##
I'm currently working under the assumption that this is a problem with the ChainFile or CA cert - quite possibly because I dont have the correct info in httpd.conf. Can you comment on the code below or let me know where else to look for the error?
httpd.conf:
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName https://###-##-#-##
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /home/ec2-user/StartSSLcert.pem
SSLCertificateKeyFile /home/ec2-user/StartSSLkey.pem
SSLCertificateChainFile /home/ec2-user/sub.class1.server.sha1.ca.pem
SSLCACertificateFile /home/ec2-user/ca.pem
</VirtualHost>
This page has been my primary reference: http://www.startssl.com/?app=21 However, it includes many lines of code not in other examples I've found online with no description of what they do.
I've been guess-and-checking between the example above and a simpler example like: http://www.sslshopper.com/apache-server-ssl-installation-instructions.html
Everything I try is either untrusted by Firefox or I get errors when restarting apache. Ideas?
by default, the ssl settings in:
/etc/httpd/conf.d/ssl.conf
override the corresponding block in:
/etc/httpd/conf/httpd.conf
When using AWS you need to edit ssl.conf
"The certificate is only valid for ip-###-##-#-##"
credit due here:
Cannot setup SSL keys on my apache server in AWS EC2
If your server have more than one IP address, replace the * with IP address inside""
See: http://httpd.apache.org/docs/2.4/mod/core.html#virtualhost
Whats more, make sure you create your private key, CSR correctly.
See:https://library.linode.com/security/ssl-certificates/commercial#sph_create-a-certificate-signing-request
I provide SSL pages on my web server, and I have a question.
What is the difference between SSLCACertificateFile and SSLCertificateChainFile?
When I use SSLCertificateChainFile, I got warnings from Japanese cellular phone browser, but when I use PC browser(like IE, FF), there was no problem.
On the other hand, SSLCACertificateFile didn't cause any problem for both browsers.
Is there any difference when browsers connect to apache?
SSLCertificateChainFile was a correct option to choose but this directive became obsolete as of Apache 2.4.8. This directive caused the listed file to be sent along with the certificate to any clients that connect.
SSLCACertificateFile (hereafter "CACert") supersedes SSLCertificateChainFile (hereafter "Chain"), and additionally permits the use of the cert in question to sign client certificates. This sort of authentication is quite rare (at least for the moment), and if you aren't using it, there's IMHO no reason to augment its functionality by using CACert instead of Chain. On the flipside, one could argue that there's no harm in the additional functionality, and CACert covers all cases. Both arguments are valid.
Needless to say, if you ask the cert vendor, they'll always push for CACert over Chain, since it gives them another thing (client certs) that they can potentially sell you down the line. ;)
Actually, both may be valid options.
Use SSLCertificateChainFile to publish your certificate signed by public certificate authority (VeriSign, RapidSSL, etc.)
Use SSLCACertificateFile to provide your 'private' CA, that can issue client certificates, that you can distribute to some selected users. These client certificates are actually great for authentication (compared with the basic password authentication), and typically are not required to be distributed by a public CA (hence you can save some money).
So, if you want to add secure authorization to some portion of your web site, do this:
<Directory /var/www/html/authorized>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +StrictRequire
SSLUserName SSL_CLIENT_S_DN_CN
SSLRequireSSL
</Directory>
Just for short explanation SSLUserName SSL_CLIENT_S_DN_CN will set the authenticated user name to certificate's CommonName, versus the whole x509 '/OU=Foo/CN=...' subject.