I'm deploying an httpd. I need to configure ssl in order to validate client according to its client certificate.
In order to do that I've a p12
file containing private key, client certificate, and chain ca certificates:
CA chain certs:
➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys
Bag Attributes
...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----
Bag Attributes
...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----
Client cert:
➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys
Bag Attributes
...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----
Client private key:
➜ ~ openssl pkcs12 -in fitxers.p12 -nocerts
Bag Attributes
...
-----BEGIN PRIVATE KEY-----
$$$$$$$...
-----END PRIVATE KEY-----
In order to split this p12
file into separated cert and key files:
➜ ~ openssl pkcs12 -in container.p12 -nocerts -out client.key.pem
➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys -out client.crt
➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys -out cacerts.crt
So, from now on, I've configured my httpd as:
SSLEngine On
SSLCACertificateFile /usr/local/apache2/conf/cacerts.crt
...
I'm trying to make te connection using curl:
curl --cert client.crt --key client.key.pem https://localhost:8080/token -v
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Enter PEM pass phrase:
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
Into httpd server logs I'm getting:
[Tue Sep 17 11:17:28.144219 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01964: Connection to child 68 established (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.148318 2019] [ssl:debug] [pid 8:tid 139871525332736] ssl_engine_kernel.c(2375): [client 10.0.2.4:52926] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Tue Sep 17 11:17:28.155178 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.155569 2019] [ssl:info] [pid 8:tid 139871525332736] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Tue Sep 17 11:17:28.155609 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01998: Connection closed to child 68 with abortive shutdown (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114529 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01964: Connection to child 69 established (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114667 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114674 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114679 2019] [core:debug] [pid 8:tid 139871448463104] protocol.c(2314): [client 10.255.0.2:48060] AH03155: select protocol from , choices=h2,http/1.1 for server 10.0.2.47
[Tue Sep 17 11:19:01.117705 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.117827 2019] [ssl:info] [pid 8:tid 139871448463104] SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)
[Tue Sep 17 11:19:01.117858 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01998: Connection closed to child 69 with abortive shutdown (server 10.0.2.47:443)
I've also tried using cacerts.pem
with curl --cacert ./cacerts.pem --cert client.crt --key client.key.pem https://localhost:8080/token -v
Any ideas?
Best Answer