Error is "SSL Library Error: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate -- No CAs known to server for verification?"
Configuration:
SSLCertificateFile /etc/letsencrypt/live/mysite/fullchain.pem
SSLCertificateChainFile same as above
SSLCertificateKeyFile /etc/letsencrypt/live/mysite/privkey.pem
SSLCACertificateFile my own self-signed CA cert file appended to fullchain.pem
SSLVerifyDepth 10
I have verified my self-signed client cert against my self-signed CA, and installed it in my browser (Chrome and Firefox)
I have tried:
SSLCACertificateFile containing only my self-signed CA cert
without SSLCertificate ChainFile (which seems redundant to me)
but always get the same error.
LogLevel warn ssl:debug and LogLevel warn ssl:trace6 don't provide any further clues.
So, to debug this, I need to see the server-client conversation in plain text but, of course, the connection is encrypted.
What tools are available? How do the browser developers debug problems like this?
Related
I am confused with SSL certificates on apache. I have the SSL vhost setup in /etc/httpd/conf.d/ssl.conf which works fine, but when i try to use wget from another server to pull down some files i get "Unable to locally verify the issuer's authority."
The SSL was bought from cheapsslsecurity.com and the zip comes with multiple CRT files and i'm not sure what is what.
So we have the following files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationecureServerCA.crt
STAR_websitenamehere_com.crt
The vhost is currently setup like this:
SSLCertificateFile /etc/pki/tls/certs/STAR_websitenamehere_com.crt
SSLCertificateKeyFile /etc/pki/tld/private/websitenamehere.com.key
SSLCACertificateFile [i have tried all of them here except the STAR_ one and still the same error with wget]
The main SSL works in the web browser, but nothing i do seems to allow wget to pull anything without producing an error.
UPDATED :
I updated my CA to match the CA that my client certificate was issued from and my browser now prompts me to choose a certificate (and the correct certificate is listed) but the error "ERR_BAD_SSL_CLIENT_AUTH_CERT" persists.
OLD MESSAGE :
I need to make a certificate authentication with Apache.
My problem is that no certificate list pops up when the CA is set in Apache. However, not setting it brings the popup and allows me to select a certificate... but of course the authentication doesn't work and brings the following error :
ERR_BAD_SSL_CLIENT_AUTH_CERT
The configuration I have is the following :
ssl.conf :
SSLEngine on
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile /etc/httpd/ca.cer
SSLCARevocationFile /etc/httpd/crl.pem
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN
vhost :
Include ssl.conf
SSLCertificateFile /etc/httpd/sub.domain.crt
SSLCertificateKeyFile /etc/httpd/sub.domain.key
The CA is also installed on my computer along with my client certificate, ready to be used.
There's nothing in the logs, just a line mentionning a closed SSL connection.
Been searching for a while and I can't find what could be causing this.
Alright so first the SSLVerifyDepth parameter wasn't properly set. I was able to find this by checking Apache's ssl_error_log file.
And second, the log file was saying that the CRL was not reacheable. Even if set what I thought was the correct CRL... but I actualy forgot the CRL of the CA that is above the clients CA !
Thanks again for helping me with checking the CA, case closed !
I edited '/etc/apache-sites-enabled/default-ssl.conf' to include the following:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/mydomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.com.key
SSLCertificateChainFile /etc/apache2/ssl/mydomain.com.ca-bundle
The files exist and contain the relevant blocks from my Rapidssl. SSL is enabled via a2enmod ssl, have also checked port is open and checked error log.
The apache error log is clear and http is accessible.
When I visit the site I get this message in Chrome:
SSL connection error
ERRSSLPROTOCOL_ERROR
Hide details
Unable to make a secure connection to the server. This may be a problem with the server or it may be requiring a client authentication certificate that you don't have.
To me it seems to be pointing to the CA Bundle being not seen?
My site https://uberdice.com works fine for me with no SSL related errors or warnings.
However a few of my users have informed me they are getting SSL related warnings. I believe I have installed everything correctly. Below you can see the apache2.conf file:
<VirtualHost *:443>
DocumentRoot /var/www/
ServerName uberdice.com
SSLEngine on
SSLCertificateFile /path/uberdice.com.crt
SSLCertificateKeyFile /path/uberdice.com.key
SSLCertificateChainFile /path/intermediate.crt
</VirtualHost>
All files are in the same directory. I have also tried using the SSLCACertificateFile directive.
Yet when I run a check on: https://www.sslshopper.com/ssl-checker.html#hostname=https://uberdice.com it would appear to fail to connect to a root certificate. Presumably from a faulty intermediate certificate.
I am using RapidSSL and this bundle code for the intermediate certificate https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26464.
Does anyone have any ideas what is going wrong?
Thanks.
Your are sending the wrong intermediate certificates and it only works in your browser because you either have cached the right certificates from visits to other sites using the same chain or because the browser is actively downloading the missing certificates (Chrome on desktop might do, Firefox not).
Have a look at the trust path information in the analysis from SSLLabs and you will see:
Chain issues Incomplete, Extra certs
That's the problem you need to resolve, i.e. remove the wrong chain certificate and add the right one. For more information look at the "Certification Path" information in the analysis. In short: instead of "RapidSSL CA" you need "RapidSSL SHA256 CA - G3".
I am actually trying to see if Puppet can use external certificates because my organization's info security department has came out with a stronger security certificate that I've asked them for a set to see if it works or not. I still intend to have the puppetmaster issue certs, but the two certs to other agents by behaving the same thing as the normal way of the master issuing certs and autosign them.
The set comprises something like the following:
ABCROOTCA2015.pem – ABC Root CA 2015 certificate
ABCSERVERCA2015.pem – ABC Server CA 2015 certificate
puppet2-64.abc.local.p12 (server)
- private key and certificate of glpi-49.abc.local
- password: ###
glpi-49.abc.local.p12 (agent)
- private key and certificate of 10.5.137.175
- password: ###
Since external certs require Apache Passenger to work on this, I've installed the Apache passenger. These two certs above have been placed into their respective folders (/var/lib/puppet/ssl/certs and with another copy the server cert placed at the /private_keys folder.
Given of the two certificate files above, this is my configuration file, Apache end, stored at "/etc/apache2/sites-enabled/puppetmaster" (this is for Ubuntu)
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/mimosserverca2015.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/mimosserverca2015.pem
#SSLCertificateChainFile /var/lib/puppet/ssl/certs/mimosrootca2015.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/mimosrootca2015.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate expiration warnings
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
#RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd>
Options None
AllowOverride None
# Apply the right behavior depending on Apache version.
Order allow,deny
Allow from all
</Directory>
#Misc
LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.0.53/xxx.so
PassengerRoot /var/lib/gems/1.8/gems/passenger-4.0.53
PassengerRuby /usr/bin/ruby1.8
ErrorLog /var/log/apache2/puppetmaster_ssl_error.log
CustomLog /var/log/apache2/puppetmaster_ssl_access.log combined
</VirtualHost>
For the puppet.conf at the puppetmaster. I only added the following additional lines:
[main]
ca_server = puppet2-64.mimos.local
[master]
ca = false
certname = mimosserverca2015
For one of the agents that is to be tested for this, I've added a ca_server thing in the agent's puppet configuration file. The webrick puppetmaster service has been turned off as the apache2 service has been turned on.
When the agent is executed, Error 400 is shown with the sub-message Master is not a CA.
If I've already defined the host and local root cert inside the puppetmaster file in apache2 folder, shouldn't I be getting the same function as it was usually?
Or is because that the puppetmaster will not take the custom certificate file as its own such that we have to rename that file?
So far I've checked around, but there's not much of material to be checked upon, unless there's steps that might not match my CA setup.
Can anyone help enlighten on this issue? Thanks alot!
M
The error Master is not a CA is caused by the certificate authority function on your Puppet master being disabled, which you're explicitly doing by specifying ca = false in puppet.conf under [master].
Using an external CA is well-covered in the SSL Configuration: External CA Support document. However it includes the following caveat, which is incompatible with your requirement that, "I still intend to have the puppetmaster issue certs, but the two certs to other agents by behaving the same thing as the normal way of the master issuing certs and autosign them."
These configurations are all-or-nothing rather than mix-and-match.
When using an external CA, the built in Puppet CA service must be
disabled and cannot be used to issue SSL certificates.
Additionally, Puppet cannot automatically distribute certificates in
these configurations — you must have your own complete system for
issuing and distributing certificates.
Simply put, when using an external CA with Puppet, you're responsible for signing and distributing the certificates.
(While you could try removing ca = false, it's quite possible that you'll run into problems as it's an unsupported configuration.)
If you put a signed agent cert on your agent system, either replacing the default paths or additionally specifying the host* configuration options, then the agent shouldn't attempt to use the (disabled) CA functions of the Puppet master.