openssl client authentication error: tlsv1 alert unknown ca: ... SSL alert number 48
Posted
by
JoJoeDad
on Server Fault
See other posts from Server Fault
or by JoJoeDad
Published on 2012-11-29T05:27:36Z
Indexed on
2012/11/30
5:08 UTC
Read the original article
Hit count: 540
I've generated a certificate using openssl and place it on the client's machine, but when I try to connect to my server using that certificate, I error mentioned in the subject line back from my server.
Here's what I've done.
1) I do a test connect using openssl to see what the acceptable client certificate CA names are for my server, I issue this command from my client machine to my server:
openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -prexit
and part of what I get back is as follow:
Acceptable client certificate CA names
/C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/[email protected]
/C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/[email protected]
2) Here is what is in the apache configuration file on the server regarding SSL client authentication:
SSLCACertificatePath /etc/apache2/certs
SSLVerifyClient require
SSLVerifyDepth 10
3) I generated a self-signed client certificate called "client.pem" using mypos.pem and mypos.key, so when I run this command:
openssl x509 -in client.pem -noout -issuer -subject -serial
here is what is returned:
issuer= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/[email protected]
subject= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=mlR::mlR/[email protected]
serial=0E
(please note that mypos.pem is in /etc/apache2/certs/ and mypos.key is saved in /etc/apache2/certs/private/)
4) I put client.pem on the client machine, and on the client machine, I run the following command:
openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -status -cert client.pem
and I get this error:
CONNECTED(00000003)
OCSP response: no response sent
depth=1 /C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/[email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
574:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102:SSL alert number 48
574:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_lib.c:182:
I'm really stumped as to what I've done wrong. I've searched quite a bit on this error and what I found is that people are saying the issuing CA of the client's certificate is not trusted by the server, yet when I look at the issuer of my client certificate, it matches to one of the accepted CA returned by my server.
Can anyone help, please?
Thank you in advance.
© Server Fault or respective owner