Can't access https after including "SSLVerifyClient require 1" in httpd.conf

javiergt · 01-14-2005, 01:35 PM

First I was able to configure my virtual host for https access.
After that i wanted to limit the access to only users that have my certificate and that's when the problem started.
This is my virtual host config:
NameVirtualHost 192.168.1.70:443
<VirtualHost 192.168.1.70:443>
ServerAdmin admin@example.com
DocumentRoot /var/www/html
ServerName www.example.com
ErrorLog /var/log/httpd/mail/error_log
CustomLog /var/log/httpd/mail/access_log combined
Alias /mail "/var/www/html/horde/imp"
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 1
ErrorLog /var/log/ssl_engine_log
SSLCertificateFile /home/httpd/ssl/cert.pem
SSLCertificateKeyFile /home/httpd/ssl/webmail.key.pem
</VirtualHost>

After that i kept getting Error 12227 from my browser when i tryed to access https://www.example.com/mail
This is the log from /var/log/ssl_engine_log

[Fri Jan 14 13:40:07 2005] [warn] Init: Oops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*]

I also added cert.pem to ca-bundle.crt that is a file located on the path SSLCACertificateFile but evey time i enable that path i can't start httpd, it says Failed.

Thanks for any help you can give me.....

DaHammer · 01-14-2005, 04:33 PM

In order for client authentication to work, you need client certificates signed by your CA. You need to point SSLCACertificateFile to the certificate that signs your client certificates not your server certificate.

The way I usually do it is to create my own CA. I then sign all of my server & client certificates with this CA.

javiergt · 01-17-2005, 08:53 AM

Still giving me problems. I point SSLCACertificateFile to the place you told me and now the browser prompts me if i want to accept the certificate "permanently"," just for that session" or "Do not accept the certificate."
I choose "just for that session" and then i get the error 12227.
Here is the /var/log/ssl_engine_log
[Mon Jan 17 09:40:26 2005] [error] SSL handshake failed (server www.xprtsol.com:443, client 63.109.22.7)
[Mon Jan 17 09:40:26 2005] [error] SSL Library Error: 336105671 error:140890C7:SSL routines:func(137):reason(199)
[Mon Jan 17 09:40:26 2005] [error] SSL handshake failed (server www.xprtsol.com:443, client 63.109.22.7)
[Mon Jan 17 09:40:26 2005] [error] SSL Library Error: 336105671 error:140890C7:SSL routines:func(137):reason(199)

Just as a note, i included the SSLCACertificateFile line into the virtual host at httpd.conf.
What's the difference between the SSL configuration at httpd.conf and the one you can put it ssl.conf?
I have the same path for SSLCertificateFile and SSLCACertificateFile, is that ok?

<VirtualHost 192.168.1.70:443>
ServerAdmin admin@example.com
DocumentRoot /var/www/html
ServerName www.example.com
ErrorLog /var/log/httpd/mail/error_log
CustomLog /var/log/httpd/mail/access_log combined
Alias /mail "/var/www/html/horde/imp"
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 1
ErrorLog /var/log/ssl_engine_log
SSLCertificateFile /home/httpd/ssl/cert.pem
SSLCertificateKeyFile /home/httpd/ssl/webmail.key.pem
SSLCACertificateFile /home/httpd/ssl/cert.pem
</VirtualHost>

Thanks,

DaHammer · 01-17-2005, 05:17 PM

Quote:

Just as a note, i included the SSLCACertificateFile line into the virtual host at httpd.conf.
What's the difference between the SSL configuration at httpd.conf and the one you can put it ssl.conf?

None really, ssl.conf is just a means of separating all the SSL stuff from the http stuff. ssl.conf would be included by a line in httpd.conf using the "Include" directive:

Code:

<IfModule mod_ssl.c>
     Include "conf/ssl.conf"
</IfModule>

Alot of distros separate the 2 these days, that's all.

Quote:

I have the same path for SSLCertificateFile and SSLCACertificateFile, is that ok?

No. The CA certificate is different from the server certificate which is different from the client certificate. Normally, when using client verification there are 3 completely different certificates involved. The CA certificate, server certificate & client certificate. The CA cert signs the server & client certs. The server cert is the one for Apache. The client cert is installed in the end-users browser, ie client side not server side. The server needs access to the CA cert in order to authorize the clients to connect, since it knows nothing of the client cert itself. My advice is to read the Apache documentation to get a good understanding of how SSL works and how to create the certificates required.

http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html
http://httpd.apache.org/docs-2.0/ssl...tml#aboutcerts

javiergt · 01-18-2005, 12:35 PM

Thanks, it works now. This link was very helpful http://httpd.apache.org/docs-2.0/ss...html#aboutcerts