Vtin Vtin -3 years ago 387
Linux Question

Apache Client Authentication : Certificate Verification: Error (2): unable to get issuer certificate

I am trying to configure a server with client authentication on a directory and Certificate Revocation List (crl). I succeeded once to make the client client authentication works but is is not anymore and I never succeeded in making the revocation list works.

Here are my configuration files :

  • default-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /root/ca/intermediate/certs/www.example.com.cert.pem
SSLCertificateKeyFile /root/ca/intermediate/private/www.example.com.key.pem
SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem
SSLCACertificateFile /root/ca/intermediate/certs/intermediate.cert.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars

  • apache2.conf

Mutex file:${APACHE_LOCK_DIR} default
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5


HostnameLookups Off

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Include ports.conf

<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied

<Directory /usr/share>
AllowOverride None
Require all granted

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted

<Directory /var/www/html/testClientCert>
Options Indexes FollowSymLinks
AllowOverride None
SSLVerifyClient require
SSLVerifyDepth 10

AccessFileName .htaccess

<FilesMatch "^\.ht">
Require all denied

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/default-ssl.conf

I used the following tuto to create root and intermediate AC : https://jamielinux.com/docs/openssl-certificate-authority/ (part 1 and 2)

I used the following command to generate client certificate :

4 - Create client certificate
4.1 Create the client key
openssl genrsa -des3 -out client.key 4096

4.2 Create the client csr
openssl req -new -key client.key -out client.csr

4.3 Create the client certificate
openssl x509 -req -days 365 -in client.csr -CA /root/ca/intermediate/certs/intermediate.cert.pem -CAkey /root/ca/intermediate/private/intermediate.key.pem -set_serial <mettre une valeur à changer à chaque cert genre à incrémenter (01 pour le premier puis 02...> -out client.crt

4.4 Convert client certificate to PKCS
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Now here is my question, it seems my intermediate certificate is not trusted, indeed when I try to access the directory /var/www/html/testClientCert with Mozilla (I imported intermediate AC + client cert in Mozilla), I have the following error :

tail -f 20 /var/log/apache2/*

==> /var/log/apache2/access.log <== - - [07/Aug/2017:20:15:48 +0200] "GET /testClientCert/gg.txt HTTP/1.1" 403 9768 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"

==> /var/log/apache2/error.log <==
[Mon Aug 07 20:15:48.741592 2017] [ssl:error] [pid 2262:tid 140536910403328] [client] AH02039: Certificate Verification: Error (2): unable to get issuer certificate
[Mon Aug 07 20:15:48.741670 2017] [ssl:error] [pid 2262:tid 140536910403328] [client] AH02261: Re-negotiation handshake failed
[Mon Aug 07 20:15:48.741687 2017] [ssl:error] [pid 2262:tid 140536910403328] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

How comes error occurs whereas I signed the intermediate AC cert with the root AC cert and that my client certificate is signed by intermediate AC ?

Answer Source

If someone needs the answer, I post it. The comment in default configuration file (default-ssl.conf) lead me in the good track :

    #   Certificate Authority (CA):
    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)

So the file SSLCACertificateFile must contain the root and intermediate certificate. Then the change of this line solves my problem :

SSLCACertificateFile /root/ca/intermediate/certs/ca-chain.cert.pem

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download