You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Ivan Venuti <i....@caribel.pisa.it> on 2003/11/10 09:58:02 UTC

[users@httpd] Please help with certificates

Hi,

I'm using Apache + mod_ssl.
In order to retrieve a user certificate (from a smart card) I've these files
in the server:

	1) server_webtest.p12
	2) ca.cer (DER format)

after I have trasformed them with openssl:

	$ openssl pkcs12 -in server_webtest.p12 -out hostkey.pem -nodes -nocerts
	$ openssl pkcs12 -in server_webtest.p12 -out hostcert.pem -nodes -nokeys

and

	$ openssl x509 -inform DER -in ca.cer -outform PEM -out ca.crt

I have modified the conf/httpd.conf file with:

	SSLCertificateFile /home/caribel/certs/hostcert.pem
	SSLCertificateKeyFile /home/caribel/certs/hostkey.pem
	SSLCACertificateFile /home/caribel/certs/ca.crt
	SSLVerifyClient require

the error (from logs/error_log):

[Mon Nov 10 11:22:22 2003] [alert] httpd: Could not determine the server's
fully qualified domain name, using 127.0.0.1 for ServerName
[Mon Nov 10 11:22:22 2003] [notice] Apache/1.3.28 (Unix) mod_jk/1.2.5
mod_ssl/2.8.15 OpenSSL/0.9.7c configured -- resuming normal operations
[Mon Nov 10 11:22:22 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Mon Nov 10 11:22:36 2003] [error] mod_ssl: Certificate Verification: Error
(19): self signed certificate in certificate chain
[Mon Nov 10 11:22:36 2003] [error] mod_ssl: SSL handshake failed (server
linux135:443, client 192.168.1.71) (OpenSSL library error follows)
[Mon Nov 10 11:22:36 2003] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Mon Nov 10 11:22:39 2003] [error] mod_ssl: Certificate Verification: Error
(19): self signed certificate in certificate chain
[Mon Nov 10 11:22:39 2003] [error] mod_ssl: SSL handshake failed (server
linux135:443, client 192.168.1.71) (OpenSSL library error follows)
[Mon Nov 10 11:22:39 2003] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Mon Nov 10 11:22:43 2003] [error] mod_ssl: Certificate Verification: Error
(19): self signed certificate in certificate chain
[Mon Nov 10 11:22:43 2003] [error] mod_ssl: SSL handshake failed (server
linux135:443, client 192.168.1.71) (OpenSSL library error follows)
[Mon Nov 10 11:22:43 2003] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned


any idea where could be my error?
Thanks and have a nice day

-- Ivan



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] R: [users@httpd] Please help with certificates

Posted by Ivan Venuti <i....@caribel.pisa.it>.

> Take a look at this
> http://www.karkomaonline.com/article.php?story=20030713003329816
>Hope this helps

Thanks a lot!
now the server responds correctly

-- Ivan 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Please help with certificates

Posted by kko <ka...@karkomaonline.com>.

On Mon, 2003-11-10 at 08:58, Ivan Venuti wrote:
> Hi,
> 
> I'm using Apache + mod_ssl.
> In order to retrieve a user certificate (from a smart card) I've these files
> in the server:
> 
> 	1) server_webtest.p12

Why did you create a p12 for your server? This format is typically used
by your client (i.e browser)

> 	2) ca.cer (DER format)

I assume this is the file containing CA certs, right?

> 
> after I have trasformed them with openssl:
> 
> 	$ openssl pkcs12 -in server_webtest.p12 -out hostkey.pem -nodes -nocerts
> 	$ openssl pkcs12 -in server_webtest.p12 -out hostcert.pem -nodes -nokeys

See below...

> 
> and
> 
> 	$ openssl x509 -inform DER -in ca.cer -outform PEM -out ca.crt
> 
> I have modified the conf/httpd.conf file with:
> 
> 	SSLCertificateFile /home/caribel/certs/hostcert.pem
> 	SSLCertificateKeyFile /home/caribel/certs/hostkey.pem
> 	SSLCACertificateFile /home/caribel/certs/ca.crt
> 	SSLVerifyClient require
> 
> the error (from logs/error_log):
> 
> [Mon Nov 10 11:22:22 2003] [alert] httpd: Could not determine the server's
> fully qualified domain name, using 127.0.0.1 for ServerName

What's the value of your ServerName Directive in httpd.conf?

> [Mon Nov 10 11:22:22 2003] [notice] Apache/1.3.28 (Unix) mod_jk/1.2.5
> mod_ssl/2.8.15 OpenSSL/0.9.7c configured -- resuming normal operations
> [Mon Nov 10 11:22:22 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Mon Nov 10 11:22:36 2003] [error] mod_ssl: Certificate Verification: Error
> (19): self signed certificate in certificate chain
> [Mon Nov 10 11:22:36 2003] [error] mod_ssl: SSL handshake failed (server
> linux135:443, client 192.168.1.71) (OpenSSL library error follows)
> [Mon Nov 10 11:22:36 2003] [error] OpenSSL: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> [Mon Nov 10 11:22:39 2003] [error] mod_ssl: Certificate Verification: Error
> (19): self signed certificate in certificate chain
> [Mon Nov 10 11:22:39 2003] [error] mod_ssl: SSL handshake failed (server
> linux135:443, client 192.168.1.71) (OpenSSL library error follows)
> [Mon Nov 10 11:22:39 2003] [error] OpenSSL: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> [Mon Nov 10 11:22:43 2003] [error] mod_ssl: Certificate Verification: Error
> (19): self signed certificate in certificate chain
> [Mon Nov 10 11:22:43 2003] [error] mod_ssl: SSL handshake failed (server
> linux135:443, client 192.168.1.71) (OpenSSL library error follows)
> [Mon Nov 10 11:22:43 2003] [error] OpenSSL: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> 

Why didn't you create your csr/crt/pem directly and sign them?

Take a look at this
http://www.karkomaonline.com/article.php?story=20030713003329816

Hope this helps

-- 
kko <ka...@karkomaonline.com>
karkomaonline


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org