Apache Client Authentication : Certificate Verification: Error (2): unable to get issuer certificate (SOLVE)
Apache Client Authentication : Certificate Verification: Error (2): unable to get issuer certificate (SOLVE)
我正在尝试使用目录和证书吊销列表 (crl) 上的客户端身份验证配置服务器。我曾经成功地使客户端客户端身份验证起作用,但现在不再起作用了,而且我从未成功地使撤销列表起作用。
这是我的配置文件:
- 默认-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /root/ca/intermediate/certs/www.example.com.cert.pem
SSLCertificateKeyFile /root/ca/intermediate/private/www.example.com.key.pem
SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem
SSLCACertificateFile /root/ca/intermediate/certs/intermediate.cert.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
- apache2.conf
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/html/testClientCert>
Options Indexes FollowSymLinks
AllowOverride None
SSLVerifyClient require
SSLVerifyDepth 10
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/default-ssl.conf
我使用以下教程创建根和中间 AC:https://jamielinux.com/docs/openssl-certificate-authority/(第 1 部分和第 2 部分)
我使用以下命令生成客户端证书:
4 - 创建客户端证书
4.1 创建客户端密钥
openssl genrsa -des3 -out client.key 4096
4.2 Create the client csr
openssl req -new -key client.key -out client.csr
4.3 Create the client certificate
openssl x509 -req -days 365 -in client.csr -CA /root/ca/intermediate/certs/intermediate.cert.pem -CAkey /root/ca/intermediate/private/intermediate.key.pem -set_serial <mettre une valeur à changer à chaque cert genre à incrémenter (01 pour le premier puis 02...> -out client.crt
4.4 Convert client certificate to PKCS
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
现在这是我的问题,似乎我的中间证书不受信任,事实上,当我尝试使用 Mozilla 访问目录 /var/www/html/testClientCert 时(我在 Mozilla 中导入了中间 AC + 客户端证书),我有以下错误:
tail -f 20 /var/log/apache2/*
==> /var/log/apache2/access.log <==
127.0.0.1 - - [07/Aug/2017:20:15:48 +0200] "GET /testClientCert/gg.txt HTTP/1.1" 403 9768 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"
==> /var/log/apache2/error.log <==
[Mon Aug 07 20:15:48.741592 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02039: Certificate Verification: Error (2): unable to get issuer certificate
[Mon Aug 07 20:15:48.741670 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02261: Re-negotiation handshake failed
[Mon Aug 07 20:15:48.741687 2017] [ssl:error] [pid 2262:tid 140536910403328] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
当我使用根 AC 证书签署中间 AC 证书并且我的客户端证书是由中间 AC 签署时,为什么会出现错误?
如果有人需要答案,我会post。默认配置文件中的注释 (default-ssl.conf) 引导我走上正轨:
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
因此文件 SSLCACertificateFile 必须包含根证书和中间证书。然后这一行的改变解决了我的问题:
SSLCACertificateFile /root/ca/intermediate/certs/ca-chain.cert.pem
我还没有找到crl的解决方案,我post等我找到了。
我正在尝试使用目录和证书吊销列表 (crl) 上的客户端身份验证配置服务器。我曾经成功地使客户端客户端身份验证起作用,但现在不再起作用了,而且我从未成功地使撤销列表起作用。
这是我的配置文件:
- 默认-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /root/ca/intermediate/certs/www.example.com.cert.pem
SSLCertificateKeyFile /root/ca/intermediate/private/www.example.com.key.pem
SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem
SSLCACertificateFile /root/ca/intermediate/certs/intermediate.cert.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
- apache2.conf
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/html/testClientCert>
Options Indexes FollowSymLinks
AllowOverride None
SSLVerifyClient require
SSLVerifyDepth 10
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/default-ssl.conf
我使用以下教程创建根和中间 AC:https://jamielinux.com/docs/openssl-certificate-authority/(第 1 部分和第 2 部分)
我使用以下命令生成客户端证书:
4 - 创建客户端证书 4.1 创建客户端密钥 openssl genrsa -des3 -out client.key 4096
4.2 Create the client csr
openssl req -new -key client.key -out client.csr
4.3 Create the client certificate
openssl x509 -req -days 365 -in client.csr -CA /root/ca/intermediate/certs/intermediate.cert.pem -CAkey /root/ca/intermediate/private/intermediate.key.pem -set_serial <mettre une valeur à changer à chaque cert genre à incrémenter (01 pour le premier puis 02...> -out client.crt
4.4 Convert client certificate to PKCS
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
现在这是我的问题,似乎我的中间证书不受信任,事实上,当我尝试使用 Mozilla 访问目录 /var/www/html/testClientCert 时(我在 Mozilla 中导入了中间 AC + 客户端证书),我有以下错误:
tail -f 20 /var/log/apache2/*
==> /var/log/apache2/access.log <==
127.0.0.1 - - [07/Aug/2017:20:15:48 +0200] "GET /testClientCert/gg.txt HTTP/1.1" 403 9768 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"
==> /var/log/apache2/error.log <==
[Mon Aug 07 20:15:48.741592 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02039: Certificate Verification: Error (2): unable to get issuer certificate
[Mon Aug 07 20:15:48.741670 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02261: Re-negotiation handshake failed
[Mon Aug 07 20:15:48.741687 2017] [ssl:error] [pid 2262:tid 140536910403328] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
当我使用根 AC 证书签署中间 AC 证书并且我的客户端证书是由中间 AC 签署时,为什么会出现错误?
如果有人需要答案,我会post。默认配置文件中的注释 (default-ssl.conf) 引导我走上正轨:
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
因此文件 SSLCACertificateFile 必须包含根证书和中间证书。然后这一行的改变解决了我的问题:
SSLCACertificateFile /root/ca/intermediate/certs/ca-chain.cert.pem
我还没有找到crl的解决方案,我post等我找到了。