geudrik Posted October 27, 2011 Share Posted October 27, 2011 Alright, I've been beating my head against a wall for a while now... I am trying to set up a certificate based access to a directory, /sekrit, on my webserver. I am using a Class 1 CA-issued set of certificates for my server - SSL is forced, :80 connections are not allowed. The set of CA files I'm using are listed as follows. SSLCertificateFile /etc/apache2/ssl/ssl.crt SSLCertificateKeyFile /etc/apache2/ssl/ssl.key SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem SSLCACertificateFile /etc/apache2/ssl/ca.pem I have run the following commands to generate a user certificate (that they install in their browser) and every time I keep getting (Error code: ssl_error_handshake_failure_alert) $ openssl genrsa -out ~/client.key 2048 $ openssl req -new -key ~/client.key -out ~/client.csr $ sudo openssl x509 -req -days 365 -CA /etc/apache2/ssl/ssl.crt -CAkey /etc/apache2/ssl/ssl.key -CAcreateserial -in ~/client.csr -out ~/client.crt $ openssl pkcs12 -export -clcerts -in ~/client.crt -inkey ~/client.key -out ~/client.p12 I have also tried 1024 and 4096bit key lenghts, and the signing goes through all hunky dory, but I continually get the same error when trying to connect. By the way, the code I have in my xxx.com:443 vhost is: <Location /sekrit> SSLVerifyClient require SSLVerifyDepth 2 </Location> Quote Link to comment Share on other sites More sharing options...
geudrik Posted October 27, 2011 Author Share Posted October 27, 2011 Just as clarification, I want to be able to not touch my current SSL setup, but instead use the CA file I have to sign user-generated keys to allow access to a protected area of the site. Also, I'm making progress.. Changed my Location block to... <Directory "/sekrit"> SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /etc/apache2/ssl/ssl.crt Options +Indexes </Directory> So now it's actually using the crt that signed the key... I now get 403's when I go there, both with and without the certs I've created. Making progress, but still equally as perplexed. Quote Link to comment Share on other sites More sharing options...
geudrik Posted October 27, 2011 Author Share Posted October 27, 2011 Well... using <Directory "/var/www/sekrit"> # SSLCACertificateFile /etc/apache2/ssl/ssl.crt SSLCACertificateFile /etc/apache2/ssl/ca.pem SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StrictRequire SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 Options +Indexes </Directory> I get prompted to identify my self, so I used one of the certs I've created, Then I get a blank page, so I refresh and I get this error... An error occurred during a connection to thesite.com. Peer does not recognize and trust the CA that issued your certificate. (Error code: ssl_error_unknown_ca_alert) Can anyone shed any light on this? Edit: I understand what the error is saying / what it means, but it doesn't make any sense... I'm using the crt that startcom gave me (my class 1) to sign the users' keys when I convert them into k12's... So what am I missing? Quote Link to comment Share on other sites More sharing options...
geudrik Posted October 27, 2011 Author Share Posted October 27, 2011 Could this error be from something that I type in when I'm originally creating the unsigned certificate? Does any of that information need to match what's in my chain/ca.pem file? /Totally confused Quote Link to comment Share on other sites More sharing options...
geudrik Posted October 28, 2011 Author Share Posted October 28, 2011 Here is my diagnostic information for normal SSL communication Do any of the info atributes need to match the signing certificate, when I create the private keys to be signed? ie: do any of these values need to match when I create the client certs? depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA $ openssl s_client -connect xxx.com:443 CONNECTED(00000003) depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/description=503173-XEKhuo5DI0y28uVT/CN=www.xxx.com/emailAddress=xxx.com@email.com i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- cert code here -----END CERTIFICATE----- subject=/description=503173-XEKhuo5DI0y28uVT/CN=www.xxx.com/emailAddress=xxx.com@email.com issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA --- No client certificate CA names sent --- SSL handshake has read 4678 bytes and written 369 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 81AAC82B8BE62F1342A265607CB09AC86FB3F655FE7A32192786D437BDA822A3 Session-ID-ctx: Master-Key: CE0B68C1C4BE88F361937A9A9B9E01AC8A6A3D4FF62084201961455544E3D7EF81A2FD1A67E8144C7A067962FAFFAC5A Key-Arg : None PSK identity: None PSK identity hint: None Compression: 1 (zlib compression) Start Time: 1319810200 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) --- closed Quote Link to comment Share on other sites More sharing options...
geudrik Posted October 30, 2011 Author Share Posted October 30, 2011 Anyone? :s Quote Link to comment Share on other sites More sharing options...
geudrik Posted November 2, 2011 Author Share Posted November 2, 2011 \me continues the head-into-wall routine... Quote Link to comment Share on other sites More sharing options...
geudrik Posted November 3, 2011 Author Share Posted November 3, 2011 Alright, so here is what my apache error log has to say about this... I am using a cert that I created on my server and then signed using the ssl.key and ssl.crt files. The certificate is installed in FF, and I now get the following error in FF An error occurred during a connection to noobitron.com. Peer does not recognize and trust the CA that issued your certificate. (Error code: ssl_error_unknown_ca_alert) Below is the tail for a failed handshake... :s Does anyone have any idea what I'm doing wrong? [Thu Nov 03 12:54:28 2011] [error] [client x.x.x.x] Re-negotiation handshake failed: Not accepted by client!? [Thu Nov 03 12:54:28 2011] [error] [client x.x.x.x] Re-negotiation request failed [Thu Nov 03 12:54:36 2011] [error] [client x.x.x.x] Certificate Verification: Error (20): unable to get local issuer certificate [Thu Nov 03 12:54:36 2011] [error] [client x.x.x.x] Re-negotiation handshake failed: Not accepted by client!? [Thu Nov 03 12:54:36 2011] [error] [client x.x.x.x] Re-negotiation request failed [Thu Nov 03 12:54:36 2011] [error] SSL Library Error: 67702888 error:04091068:rsa routines:INT_RSA_VERIFY:bad signature [Thu Nov 03 12:54:36 2011] [error] SSL Library Error: 336101498 error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature As a recap for the steps I'm taking... Creating a new .crt on my server Signing the .crt with my ssl.key and ssl.crt files Converting the signed crt into a pk12 Importing the .pk12 into FF Trying to access the site Fail Am I going wrong somewhere along the way? The only other thing that I can think of, and that I can't really find much info about, is using FF to gen the certificate, having the server sign it, then asking the client to accept it.. But again, I can't find diddly for information about that... Quote Link to comment Share on other sites More sharing options...
geudrik Posted November 3, 2011 Author Share Posted November 3, 2011 Edit [Thu Nov 03 13:51:20 2011] [info] [client 184.171.147.37] Connection to child 0 established (server somesite.com:443) [Thu Nov 03 13:51:20 2011] [info] Seeding PRNG with 656 bytes of entropy [Thu Nov 03 13:51:20 2011] [info] Initial (No.1) HTTPS request received for child 0 (server somesite.com:443) [Thu Nov 03 13:51:20 2011] [info] [client 184.171.147.37] Requesting connection re-negotiation [Thu Nov 03 13:51:20 2011] [info] [client 184.171.147.37] Awaiting re-negotiation handshake [Thu Nov 03 13:51:21 2011] [error] [client 184.171.147.37] Certificate Verification: Error (20): unable to get local issuer certificate [Thu Nov 03 13:51:21 2011] [error] [client 184.171.147.37] Re-negotiation handshake failed: Not accepted by client!? [Thu Nov 03 13:51:21 2011] [info] [client 184.171.147.37] Requesting connection re-negotiation [Thu Nov 03 13:51:21 2011] [error] [client 184.171.147.37] Re-negotiation request failed [Thu Nov 03 13:51:21 2011] [error] SSL Library Error: 67702888 error:04091068:rsa routines:INT_RSA_VERIFY:bad signature [Thu Nov 03 13:51:21 2011] [error] SSL Library Error: 336101498 error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature [Thu Nov 03 13:51:21 2011] [error] [client 184.171.147.37] Certificate Verification: Error (20): unable to get local issuer certificate Is my problem line I suspect... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.