logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Problem with client authentication
Author
jringo5



Joined: 29 Oct 2014
Posts: 1

PostPosted: Wed 29 Oct '14 18:59    Post subject: Problem with client authentication Reply with quote

I am setting up apache 2.4 as a service locally through localhost on a windows 2008 R2 standard server. I have set up SSL listening on port 443 and works correctly, however I am having trouble figuring out how to get apache to authenticate my CAC card.

I have downloaded the DOD certs and put them into various types of files including pem, base 64, der etc and I have yet to figure out a way to get the client certificates validated.

I have left out the information about the SSLCertificateChainFile, SSLCACertificateFile and SSLCARevocationPath as I am sure this must be where my problem is.

Can anyone please advise me as to if it's possible to get this done through localhost, and point me in the right direction on how to get past my issues. Here is the error I am getting in the error log.

[Wed Oct 29 11:37:05.675491 2014] [ssl:error] [pid xxxx:tid xxx] [client 127.0.0.1:59282] AH02039: Certificate Verification: Error (20): unable to get local issuer certificate


I am using a self created self signed server ceritficate. Here are some details from my httpd-ssl.conf file:

Code:

<VirtualHost _default_:443>
DocumentRoot "${SRVROOT}/htdocs"
ServerName localhost:443

ServerAdmin admin@example.com
ErrorLog "${SRVROOT}/logs/jtdi.log"
TransferLog "${SRVROOT}/logs/jtdi-Transfer.log"


SSLEngine on


SSLCertificateFile "${SRVROOT}/conf/ssl/localhost.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/localhost.key"

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLVerifyClient require
SSLVerifyDepth  10


<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "${SRVROOT}/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


CustomLog "${SRVROOT}/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>


Mod note: removed all not needed comments from config
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Wed 05 Nov '14 11:32    Post subject: Reply with quote

You get this error when trying to use "openssl verify". It may be bad or it may be harmless. Here is the definition from the OpenSSL docs:

Quote:
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate


Quote:
the issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete.


Your certificate chain needs to be complete. That is it has to include the
root CA (one with issuer and subject the same) and all intermediate
certificates of the responder certificate.


For each certificate do this:

openssl x509 -in cert.pem -subject -issuer -noout

The subject of the one you pass to -issuer should match the issuer of the one
you pass to cert. You need a root CA and the rest of the chain passed to
-CApath.
Back to top


Reply to topic   Topic: Problem with client authentication View previous topic :: View next topic
Post new topic   Forum Index -> Apache