This is a discussion on client certificates won't verify under Apache - modssl ; I'm running CentOS 4.1 with Apache 2.0.52 and trying to setup client SSL authentication using an internal CA. I've read the docs and checked the list archives for someone having the same problem or any hints, but have come up ...
I'm running CentOS 4.1 with Apache 2.0.52 and trying to setup client
SSL authentication using an internal CA. I've read the docs and
checked the list archives for someone having the same problem or any
hints, but have come up empty so far. Anyways...
openssl verify -CAfile ssl.crt/cacert.crt -purpose sslclient
But configuring apache with:
where my conf/ssl.crt directory has the cacert.crt with the
approrpriate hashes, when I run:
openssl s_client -connect updates.musecurity.net:443 -CAfile
cacert.pem -cert aaron_turner.pem -certform pem -showcerts -verify 1
[error] Certificate Verification: Error (19): self signed certificate
in certificate chain
In my ssl_error_log.
verify depth is 1
depth=1 /C=US/ST=California/L=Sunnyvale/O=MuSecurity, Inc./
depth=0 /C=US/ST=California/L=Sunnyvale/O=MuSecurity, Inc./OU=Update
871:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1054:SSL alert number 48
871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
I think somewhat related is my problem with using:
which gives me an error:
SSLCACertificateFile: file '/etc/httpd/conf/ssl.crt/cacert.crt' does
not exist or is empty
which is quite strange since the file does exist, contains the
certificate and has the correct perms (files are 644 and directories
755). I've even tried copying over the aaron_turner.crt to the conf/
ssl.crt directory and regenerating the hashes, but that doesn't help.
I can only assume I'm missing something horribly obvious, but I've
been working on this for hours with no luck...
Aaron Turner, Sr. Security Engineer
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com