Jump to content

Recommended Posts

Alright, I've been beating my head against a wall for a while now...

 

I am trying to set up a certificate based access to a directory, /sekrit, on my webserver.

I am using a Class 1 CA-issued set of certificates for my server - SSL is forced, :80 connections are not allowed.  The set of CA files I'm using are listed as follows.

        SSLCertificateFile      /etc/apache2/ssl/ssl.crt
        SSLCertificateKeyFile   /etc/apache2/ssl/ssl.key
        SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
        SSLCACertificateFile    /etc/apache2/ssl/ca.pem

 

I have run the following commands to generate a user certificate (that they install in their browser) and every time I keep getting

(Error code: ssl_error_handshake_failure_alert)

$ openssl genrsa -out ~/client.key 2048
$ openssl req -new -key ~/client.key -out ~/client.csr
$ sudo openssl x509 -req -days 365 -CA /etc/apache2/ssl/ssl.crt -CAkey /etc/apache2/ssl/ssl.key -CAcreateserial -in ~/client.csr -out ~/client.crt
$ openssl pkcs12 -export -clcerts -in ~/client.crt -inkey ~/client.key -out ~/client.p12

 

I have also tried 1024 and 4096bit key lenghts, and the signing goes through all hunky dory, but I continually get the same error when trying to connect.

 

By the way, the code I have in my xxx.com:443 vhost is:

<Location /sekrit>
                SSLVerifyClient require
                SSLVerifyDepth  2
</Location>

Just as clarification, I want to be able to not touch my current SSL setup, but instead use the CA file I have to sign user-generated keys to allow access to a protected area of the site. 

 

Also, I'm making progress.. Changed my Location block to...

<Directory "/sekrit">
                SSLVerifyClient require
                SSLVerifyDepth  2
                SSLCACertificateFile    /etc/apache2/ssl/ssl.crt
                Options +Indexes
        </Directory>

So now it's actually using the crt that signed the key...  I now get 403's when I go there, both with and without the certs I've created.

 

Making progress, but still equally as perplexed.

Well... using

        <Directory "/var/www/sekrit">
                # SSLCACertificateFile    /etc/apache2/ssl/ssl.crt
                SSLCACertificateFile    /etc/apache2/ssl/ca.pem
                SSLVerifyClient require
                SSLVerifyDepth  10
                SSLOptions      +StrictRequire
                SSLRequire      %{SSL_CIPHER_USEKEYSIZE} >= 128
                Options +Indexes
        </Directory>

 

I get prompted to identify my self, so I used one of the certs I've created, Then I get a blank page, so I refresh and I get this error...

An error occurred during a connection to thesite.com.

Peer does not recognize and trust the CA that issued your certificate.

(Error code: ssl_error_unknown_ca_alert)

 

Can anyone shed any light on this?  :wtf:

 

Edit: I understand what the error is saying / what it means, but it doesn't make any sense... I'm using the crt that startcom gave me (my class 1) to sign the users' keys when I convert them into k12's...  So what am I missing?

Here is my diagnostic information for normal SSL communication

Do any of the info atributes need to match the signing certificate, when I create the private keys to be signed?

ie: do any of these values need to match when I create the client certs?

depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA

$ openssl s_client -connect xxx.com:443
CONNECTED(00000003)
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/description=503173-XEKhuo5DI0y28uVT/CN=www.xxx.com/emailAddress=xxx.com@email.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
cert code here
-----END CERTIFICATE-----
subject=/description=503173-XEKhuo5DI0y28uVT/CN=www.xxx.com/emailAddress=xxx.com@email.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4678 bytes and written 369 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 81AAC82B8BE62F1342A265607CB09AC86FB3F655FE7A32192786D437BDA822A3
    Session-ID-ctx:
    Master-Key: CE0B68C1C4BE88F361937A9A9B9E01AC8A6A3D4FF62084201961455544E3D7EF81A2FD1A67E8144C7A067962FAFFAC5A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Compression: 1 (zlib compression)
    Start Time: 1319810200
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
closed

Alright, so here is what my apache error log has to say about this...

I am using a cert that I created on my server and then signed using the ssl.key and ssl.crt files. The certificate is installed in FF, and I now get the following error in FF

An error occurred during a connection to noobitron.com.

Peer does not recognize and trust the CA that issued your certificate.

(Error code: ssl_error_unknown_ca_alert)

 

Below is the tail for a failed handshake... :s  Does anyone have any idea what I'm doing wrong?

[Thu Nov 03 12:54:28 2011] [error] [client x.x.x.x] Re-negotiation handshake failed: Not accepted by client!?
[Thu Nov 03 12:54:28 2011] [error] [client x.x.x.x] Re-negotiation request failed
[Thu Nov 03 12:54:36 2011] [error] [client x.x.x.x] Certificate Verification: Error (20): unable to get local issuer certificate
[Thu Nov 03 12:54:36 2011] [error] [client x.x.x.x] Re-negotiation handshake failed: Not accepted by client!?
[Thu Nov 03 12:54:36 2011] [error] [client x.x.x.x] Re-negotiation request failed
[Thu Nov 03 12:54:36 2011] [error] SSL Library Error: 67702888 error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
[Thu Nov 03 12:54:36 2011] [error] SSL Library Error: 336101498 error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature

 

As a recap for the steps I'm taking...

 

Creating a new .crt on my server

Signing the .crt with my ssl.key and ssl.crt files

Converting the signed crt into a pk12

Importing the .pk12 into FF

Trying to access the site

Fail

 

 

Am I going wrong somewhere along the way? The only other thing that I can think of, and that I can't really find much info about, is using FF to gen the certificate, having the server sign it, then asking the client to accept it.. But again, I can't find diddly for information about that...

Edit

 

[Thu Nov 03 13:51:20 2011] [info] [client 184.171.147.37] Connection to child 0 established (server somesite.com:443)
[Thu Nov 03 13:51:20 2011] [info] Seeding PRNG with 656 bytes of entropy
[Thu Nov 03 13:51:20 2011] [info] Initial (No.1) HTTPS request received for child 0 (server somesite.com:443)
[Thu Nov 03 13:51:20 2011] [info] [client 184.171.147.37] Requesting connection re-negotiation
[Thu Nov 03 13:51:20 2011] [info] [client 184.171.147.37] Awaiting re-negotiation handshake
[Thu Nov 03 13:51:21 2011] [error] [client 184.171.147.37] Certificate Verification: Error (20): unable to get local issuer certificate
[Thu Nov 03 13:51:21 2011] [error] [client 184.171.147.37] Re-negotiation handshake failed: Not accepted by client!?
[Thu Nov 03 13:51:21 2011] [info] [client 184.171.147.37] Requesting connection re-negotiation
[Thu Nov 03 13:51:21 2011] [error] [client 184.171.147.37] Re-negotiation request failed
[Thu Nov 03 13:51:21 2011] [error] SSL Library Error: 67702888 error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
[Thu Nov 03 13:51:21 2011] [error] SSL Library Error: 336101498 error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature

 

[Thu Nov 03 13:51:21 2011] [error] [client 184.171.147.37] Certificate Verification: Error (20): unable to get local issuer certificate

Is my problem line I suspect...

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.