我正在尝试在目录和证书吊销列表(crl)上配置具有客户端身份验证的服务器。我成功地使客户端客户端身份验证工作,但现在已经不存在了,我从未成功地使撤销列表正常工作。
以下是我的配置文件:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /root/ca/intermediate/certs/www.example.com.cert.pem
SSLCertificateKeyFile /root/ca/intermediate/private/www.example.com.key.pem
SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem
SSLCACertificateFile /root/ca/intermediate/certs/intermediate.cert.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/html/testClientCert>
Options Indexes FollowSymLinks
AllowOverride None
SSLVerifyClient require
SSLVerifyDepth 10
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/default-ssl.conf
我使用以下tuto创建根和中间AC:https://jamielinux.com/docs/openssl-certificate-authority/(第1部分和第2部分)
我使用以下命令生成客户端证书:
4 - 创建客户端证书 4.1创建客户端密钥 openssl genrsa -des3 -out client.key 4096
4.2 Create the client csr
openssl req -new -key client.key -out client.csr
4.3 Create the client certificate
openssl x509 -req -days 365 -in client.csr -CA /root/ca/intermediate/certs/intermediate.cert.pem -CAkey /root/ca/intermediate/private/intermediate.key.pem -set_serial <mettre une valeur à changer à chaque cert genre à incrémenter (01 pour le premier puis 02...> -out client.crt
4.4 Convert client certificate to PKCS
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
现在这是我的问题,似乎我的中间证书不受信任,当我尝试使用Mozilla访问目录/ var / www / html / testClientCert时(我在Mozilla中导入了中间AC +客户端证书),我有以下错误:
tail -f 20 /var/log/apache2/*
==> /var/log/apache2/access.log <==
127.0.0.1 - - [07/Aug/2017:20:15:48 +0200] "GET /testClientCert/gg.txt HTTP/1.1" 403 9768 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"
==> /var/log/apache2/error.log <==
[Mon Aug 07 20:15:48.741592 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02039: Certificate Verification: Error (2): unable to get issuer certificate
[Mon Aug 07 20:15:48.741670 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02261: Re-negotiation handshake failed
[Mon Aug 07 20:15:48.741687 2017] [ssl:error] [pid 2262:tid 140536910403328] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
如果我使用根AC证书签署了中间AC证书并且我的客户端证书是由中间AC签名的,那么怎么会出现错误?
答案 0 :(得分:0)
如果有人需要答案,我发布。默认配置文件(default-ssl.conf)中的注释引导我走上良好的轨道:
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
因此文件SSLCACertificateFile必须包含根证书和中间证书。然后这一行的改变解决了我的问题:
SSLCACertificateFile /root/ca/intermediate/certs/ca-chain.cert.pem
我还没有找到crl的解决方案,我发现它时发布它。