Httpd and curl: Configure https connection prom a p12 file form client validation

httpdopensslssl-certificate

I'm deploying an httpd. I need to configure ssl in order to validate client according to its client certificate.

In order to do that I've a p12 file containing private key, client certificate, and chain ca certificates:

CA chain certs:

➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----

Client cert:

➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----

Client private key:

➜ ~ openssl pkcs12 -in fitxers.p12 -nocerts
Bag Attributes
    ...
-----BEGIN PRIVATE KEY-----
$$$$$$$...
-----END PRIVATE KEY-----

In order to split this p12 file into separated cert and key files:

➜ ~ openssl pkcs12 -in container.p12 -nocerts -out client.key.pem
➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys -out client.crt
➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys -out cacerts.crt

So, from now on, I've configured my httpd as:

SSLEngine On
SSLCACertificateFile /usr/local/apache2/conf/cacerts.crt
...

I'm trying to make te connection using curl:

curl --cert client.crt --key client.key.pem https://localhost:8080/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

Into httpd server logs I'm getting:

[Tue Sep 17 11:17:28.144219 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01964: Connection to child 68 established (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.148318 2019] [ssl:debug] [pid 8:tid 139871525332736] ssl_engine_kernel.c(2375): [client 10.0.2.4:52926] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Tue Sep 17 11:17:28.155178 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.155569 2019] [ssl:info] [pid 8:tid 139871525332736] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Tue Sep 17 11:17:28.155609 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01998: Connection closed to child 68 with abortive shutdown (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114529 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01964: Connection to child 69 established (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114667 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114674 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114679 2019] [core:debug] [pid 8:tid 139871448463104] protocol.c(2314): [client 10.255.0.2:48060] AH03155: select protocol from , choices=h2,http/1.1 for server 10.0.2.47
[Tue Sep 17 11:19:01.117705 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.117827 2019] [ssl:info] [pid 8:tid 139871448463104] SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)
[Tue Sep 17 11:19:01.117858 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01998: Connection closed to child 69 with abortive shutdown (server 10.0.2.47:443)

I've also tried using cacerts.pem with curl --cacert ./cacerts.pem --cert client.crt --key client.key.pem https://localhost:8080/token -v

Any ideas?

Best Answer

$ openssl pkcs12 -in certificate.p12 -out file.key.pem -nocerts -nodes
$ openssl pkcs12 -in certificate.p12 -out file.crt.pem -clcerts -nokeys

$ curl -k --cert ./file.crt.pem --cert-type PEM --key ./file.key.pem --key-type PEM --pass password  "https://<server-ip>:443/actuator/health"
Related Topic