openssl client authentication error: tlsv1 alert unknown ca: ... SSL alert number 48

Posted by JoJoeDad on Server Fault See other posts from Server Fault or by JoJoeDad
Published on 2012-11-29T05:27:36Z Indexed on 2012/11/30 5:08 UTC
Read the original article Hit count: 540

I've generated a certificate using openssl and place it on the client's machine, but when I try to connect to my server using that certificate, I error mentioned in the subject line back from my server.

Here's what I've done.

1) I do a test connect using openssl to see what the acceptable client certificate CA names are for my server, I issue this command from my client machine to my server:

openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -prexit

and part of what I get back is as follow:

Acceptable client certificate CA names
/C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/[email protected]
/C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/[email protected]

2) Here is what is in the apache configuration file on the server regarding SSL client authentication:

SSLCACertificatePath /etc/apache2/certs

SSLVerifyClient require 
SSLVerifyDepth  10

3) I generated a self-signed client certificate called "client.pem" using mypos.pem and mypos.key, so when I run this command:

openssl x509 -in client.pem -noout -issuer -subject -serial

here is what is returned:

issuer= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/[email protected]
subject= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=mlR::mlR/[email protected]
serial=0E

(please note that mypos.pem is in /etc/apache2/certs/ and mypos.key is saved in /etc/apache2/certs/private/)

4) I put client.pem on the client machine, and on the client machine, I run the following command:

openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -status -cert client.pem

and I get this error:

CONNECTED(00000003)
OCSP response: no response sent
depth=1 /C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/[email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
574:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102:SSL alert number 48
574:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_lib.c:182:

I'm really stumped as to what I've done wrong. I've searched quite a bit on this error and what I found is that people are saying the issuing CA of the client's certificate is not trusted by the server, yet when I look at the issuer of my client certificate, it matches to one of the accepted CA returned by my server.

Can anyone help, please?

Thank you in advance.

© Server Fault or respective owner

Related posts about authentication

Related posts about certificate