Bug 65415 - ERR_BAD_SSL_CLIENT_AUTH_CERT by client certificate
Summary: ERR_BAD_SSL_CLIENT_AUTH_CERT by client certificate
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.41
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-30 23:24 UTC by Paulo
Modified: 2021-09-19 14:32 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paulo 2021-06-30 23:24:59 UTC
CA certficate - OK

Server certificate: OK

Client certificate: OK


server and client signed by the same CA private key.

Environment.

OpenSSL 1.1.1f  31 Mar 2020

Ubuntu 20.04

Server version: Apache/2.4.41 (Ubuntu)
Server built:   2021-06-17T18:27:53

My problem:

connecting to a secure server requiring client certificate, i get the following error when presenting my certificate:

ERR_BAD_SSL_CLIENT_AUTH_CERT

It started to fail after the previous one voided and i issued a new one.

CA, the same, server cert, renewed after previous voided. 

server conf:

My server conf:

<VirtualHost *:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /home/www/

                # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
                # error, crit, alert, emerg.
                # It is also possible to configure the loglevel for particular
                # modules, e.g.
                #LogLevel info ssl:warn

                ErrorLog /var/log/apache2/ssl_engine.log
                LogLevel debug

                #ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                # For most configuration files from conf-available/, which are
                # enabled or disabled at a global level, it is possible to
                # include a line for only one particular virtual host. For example the
                # following line enables the CGI configuration for this host only
                # after it has been globally disabled with "a2disconf".
                #Include conf-available/serve-cgi-bin.conf

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on

                SSLProtocol all -SSLv3 -TLSv1.3
                #SSLProtocol all
                #SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
                SSLHonorCipherOrder on
                SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2/README.Debian.gz for more info.
                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile /etc/ssl/private/server.crt
                SSLCertificateKeyFile /etc/ssl/private/server.key
                SSLCACertificatePath /etc/ssl/certs/
                #SSLCACertificateFile /etc/ssl/certs/PSign_TrustCenter_Root_CA-I.pem
                SSLCACertificateFile /etc/ssl/private/fullchain.crt


                #   Server Certificate Chain:
                #   Point SSLCertificateChainFile at a file containing the
                #   concatenation of PEM encoded CA certificates which form the
                #   certificate chain for the server certificate. Alternatively
                #   the referenced file can be the same as SSLCertificateFile
                #   when the CA certificates are directly appended to the server
                #   certificate for convinience.
                #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

                #   Certificate Authority (CA):
                #   Set the CA certificate verification path where to find CA
                #   certificates for client authentication or alternatively one
                #   huge file containing all of them (file must be PEM encoded)
                #   Note: Inside SSLCACertificatePath you need hash symlinks
                #                to point to the certificate files. Use the provided
                #                Makefile to update the hash symlinks after changes.
                #SSLCACertificatePath /etc/ssl/certs/
                #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

                #   Certificate Revocation Lists (CRL):
                #   Set the CA revocation path where to find CA CRLs for client
                #   authentication or alternatively one huge file containing all
                #   of them (file must be PEM encoded)
                #   Note: Inside SSLCARevocationPath you need hash symlinks
                #                to point to the certificate files. Use the provided
                #                Makefile to update the hash symlinks after changes.
                #SSLCARevocationPath /etc/apache2/ssl.crl/
                #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

                #   Client Authentication (Type):
                #   Client certificate verification type and depth. Types are
                #   none, optional, require and optional_no_ca. Depth is a
                #   number which specifies how deeply to verify the certificate
                #   issuer chain before deciding the certificate is not valid.
                #SSLVerifyClient require
                #SSLVerifyDepth  10

                #   SSL Engine Options:
                #   Set various options for the SSL engine.
                #   o FakeBasicAuth:
                #        Translate the client X.509 into a Basic Authorisation.  This means that
                #        the standard Auth/DBMAuth methods can be used for access control.  The
                #        user name is the `one line' version of the client's X.509 certificate.
                #        Note that no password is obtained from the user. Every entry in the user
                #        file needs this password: `xxj31ZMTZzkVA'.
                #   o ExportCertData:
                #        This exports two additional environment variables: SSL_CLIENT_CERT and
                #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
                #        server (always existing) and the client (only existing when client
                #        authentication is used). This can be used to import the certificates
                #        into CGI scripts.
                #   o StdEnvVars:
                #        This exports the standard SSL/TLS related `SSL_*' environment variables.
                #        Per default this exportation is switched off for performance reasons,
                #        because the extraction step is an expensive operation and is usually
                #        useless for serving static content. So one usually enables the
                #        exportation for CGI and SSI requests only.
                #   o OptRenegotiate:
                #        This enables optimized SSL connection renegotiation handling when SSL
                #        directives are used in per-directory context.
                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                #   SSL Protocol Adjustments:
                #   The safe and default but still SSL/TLS standard compliant shutdown
                #   approach is that mod_ssl sends the close notify alert but doesn't wait for
                #   the close notify alert from client. When you need a different shutdown
                #   approach you can use one of the following variables:
                #   o ssl-unclean-shutdown:
                #        This forces an unclean shutdown when the connection is closed, i.e. no
                #        SSL close notify alert is send or allowed to received.  This violates
                #        the SSL/TLS standard but is needed for some brain-dead browsers. Use
                #        this when you receive I/O errors because of the standard approach where
                #        mod_ssl sends the close notify alert.
                #   o ssl-accurate-shutdown:
                #        This forces an accurate shutdown when the connection is closed, i.e. a
                #        SSL close notify alert is send and mod_ssl waits for the close notify
                #        alert of the client. This is 100% SSL/TLS standard compliant, but in
                #        practice often causes hanging connections with brain-dead browsers. Use
                #        this only for browsers where you know that their SSL implementation
                #        works correctly.
                #   Notice: Most problems of broken clients are also related to the HTTP
                #   keep-alive facility, so you usually additionally want to disable
                #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
                #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
                #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
                #   "force-response-1.0" for this.
                # BrowserMatch "MSIE [2-6]" \
                #               nokeepalive ssl-unclean-shutdown \
                #               downgrade-1.0 force-response-1.0


# private
       Alias /ssl/ /home/www/html-ssl-certs/
       <location /ssl/>
             SSLVerifyClient require
             SSLVerifyDepth       5
             SSLOptions +StdEnvVars +ExportCertData
             AuthType Basic
             AuthName "Protected User access required"
             AuthUserFile /etc/apache2/.htpasswd
             Require valid-user
             DirectoryIndex phpinfo.php
             DirectoryIndexRedirect permanent
             Order deny,allow
             Allow from all
      </location>



</VirtualHost>

LOG:

[Tue Jun 29 19:15:43.024571 2021] [socache_shmcb:debug] [pid 241359] mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0xae -> subcache 14)
[Tue Jun 29 19:15:43.024597 2021] [socache_shmcb:debug] [pid 241359] mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:43.024605 2021] [socache_shmcb:debug] [pid 241359] mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve successfully
[Tue Jun 29 19:15:43.024632 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.024700 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.024711 2021] [core:debug] [pid 241359] protocol.c(2313): [client 127.0.0.1:57022] AH03155: select protocol from , choices=h2,http/1.1 for server hp15pw
[Tue Jun 29 19:15:43.026143 2021] [ssl:info] [pid 241355] [client 127.0.0.1:57024] AH01964: Connection to child 0 established (server hp15pw:443)
[Tue Jun 29 19:15:43.026407 2021] [socache_shmcb:debug] [pid 241355] mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x07 -> subcache 7)
[Tue Jun 29 19:15:43.026424 2021] [socache_shmcb:debug] [pid 241355] mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:43.026429 2021] [socache_shmcb:debug] [pid 241355] mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve successfully
[Tue Jun 29 19:15:43.026449 2021] [ssl:debug] [pid 241355] ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.026489 2021] [ssl:debug] [pid 241355] ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.026497 2021] [core:debug] [pid 241355] protocol.c(2313): [client 127.0.0.1:57024] AH03155: select protocol from , choices=h2,http/1.1 for server hp15pw
[Tue Jun 29 19:15:43.321198 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.323322 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(415): [client 127.0.0.1:57022] AH02034: Initial (No.1) HTTPS request received for child 4 (server hp15pw:443)
[Tue Jun 29 19:15:43.323413 2021] [ssl:debug] [pid 241355] ssl_engine_kernel.c(2254): [client 127.0.0.1:57024] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.323733 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(782): [client 127.0.0.1:57022] AH02255: Changed client verification type will force renegotiation
[Tue Jun 29 19:15:43.323837 2021] [ssl:info] [pid 241359] [client 127.0.0.1:57022] AH02221: Requesting connection re-negotiation
[Tue Jun 29 19:15:43.323893 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(984): [client 127.0.0.1:57022] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Tue Jun 29 19:15:43.324148 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.324265 2021] [ssl:info] [pid 241359] [client 127.0.0.1:57022] AH02226: Awaiting re-negotiation handshake
[Tue Jun 29 19:15:43.324869 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.331104 2021] [ssl:error] [pid 241359] [client 127.0.0.1:57022] AH02261: Re-negotiation handshake failed
[Tue Jun 29 19:15:43.331256 2021] [ssl:debug] [pid 241359] ssl_engine_io.c(1368): (70014)End of file found: [client 127.0.0.1:57022] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Jun 29 19:15:43.331328 2021] [ssl:info] [pid 241359] [client 127.0.0.1:57022] AH01998: Connection closed to child 4 with abortive shutdown (server hp15pw:443)
[Tue Jun 29 19:15:45.526753 2021] [ssl:info] [pid 241355] (70014)End of file found: [client 127.0.0.1:57024] AH01991: SSL input filter read failed.
[Tue Jun 29 19:15:45.527179 2021] [ssl:debug] [pid 241355] ssl_engine_io.c(1102): [client 127.0.0.1:57024] AH02001: Connection closed to child 0 with standard shutdown (server hp15pw:443)
[Tue Jun 29 19:15:45.537952 2021] [ssl:info] [pid 241357] [client 127.0.0.1:57026] AH01964: Connection to child 2 established (server hp15pw:443)
[Tue Jun 29 19:15:45.538859 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x68 -> subcache 8)
[Tue Jun 29 19:15:45.538910 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:45.538929 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve successfully
[Tue Jun 29 19:15:45.538994 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:45.539162 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:45.539188 2021] [core:debug] [pid 241357] protocol.c(2313): [client 127.0.0.1:57026] AH03155: select protocol from , choices=h2,http/1.1 for server hp15pw
[Tue Jun 29 19:15:45.574552 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:45.589868 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(415): [client 127.0.0.1:57026] AH02034: Initial (No.1) HTTPS request received for child 2 (server hp15pw:443)
[Tue Jun 29 19:15:45.590043 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(782): [client 127.0.0.1:57026] AH02255: Changed client verification type will force renegotiation
[Tue Jun 29 19:15:45.590051 2021] [ssl:info] [pid 241357] [client 127.0.0.1:57026] AH02221: Requesting connection re-negotiation
[Tue Jun 29 19:15:45.590124 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(984): [client 127.0.0.1:57026] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Tue Jun 29 19:15:45.590251 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:45.590261 2021] [ssl:info] [pid 241357] [client 127.0.0.1:57026] AH02226: Awaiting re-negotiation handshake
[Tue Jun 29 19:15:45.590535 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:45.592237 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0x4c -> subcache 12)
[Tue Jun 29 19:15:45.592290 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully
[Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client 127.0.0.1:57026] AH02261: Re-negotiation handshake failed
[Tue Jun 29 19:15:45.592456 2021] [ssl:error] [pid 241357] SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?
[Tue Jun 29 19:15:45.592643 2021] [ssl:debug] [pid 241357] ssl_engine_io.c(1368): [client 127.0.0.1:57026] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Jun 29 19:15:45.592662 2021] [ssl:info] [pid 241357] [client 127.0.0.1:57026] AH01998: Connection closed to child 2 with abortive shutdown (server hp15pw:443)
Comment 1 michiel 2021-09-19 14:32:56 UTC
I found this issue when I bumped into the same problem. However, since then I managed to make it work, so I don't think this is an Apache problem. 

Initially I had my CA and certificates created with XCA, and they didn't work. Then I manually created them with openssl CLI, and that worked. Now I've imported them into XCA and that works as well. So, I think it's something in XCA, but I'm not sure.