openssl client authentication error: tlsv1 alert unknown ca: ... SSL alert number 48

Question

I've generated a certificate using openssl and place it on the client's machine, but when I try to connect to my server using that certificate, I error mentioned in the subject line back from my server.

Here's what I've done.

1) I do a test connect using openssl to see what the acceptable client certificate CA names are for my server, I issue this command from my client machine to my server:

openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -prexit

and part of what I get back is as follow:

Acceptable client certificate CA names
/C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/emailAddress=tdrake@mysite.com
/C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/emailAddress=tdrake@mysite.com

2) Here is what is in the apache configuration file on the server regarding SSL client authentication:

SSLCACertificatePath /etc/apache2/certs

SSLVerifyClient require 
SSLVerifyDepth  10

3) I generated a self-signed client certificate called "client.pem" using mypos.pem and mypos.key, so when I run this command:

openssl x509 -in client.pem -noout -issuer -subject -serial

here is what is returned:

issuer= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/emailAddress=tdrake@mysite.com
subject= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=mlR::mlR/emailAddress=admin@inteliware.com
serial=0E

(please note that mypos.pem is in /etc/apache2/certs/ and mypos.key is saved in /etc/apache2/certs/private/)

4) I put client.pem on the client machine, and on the client machine, I run the following command:

openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -status -cert client.pem

and I get this error:

CONNECTED(00000003)
OCSP response: no response sent
depth=1 /C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/emailAddress=tdrake@mysite.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
574:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102:SSL alert number 48
574:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_lib.c:182:

I'm really stumped as to what I've done wrong. I've searched quite a bit on this error and what I found is that people are saying the issuing CA of the client's certificate is not trusted by the server, yet when I look at the issuer of my client certificate, it matches to one of the accepted CA returned by my server.

Can anyone help, please?

Thank you in advance.

score 5 · Answer 1 · answered Nov 30 '12 at 02:52

ok, I finally found out what the issue was and would like to share it just in case anyone gets stuck with that error message too.

Apache's config file has the following lines when it talks about the CA:

    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)
    #   Note: Inside SSLCACertificatePath you need hash symlinks
    #         to point to the certificate files. Use the provided
    #         Makefile to update the hash symlinks after changes.

This means that every certificate file in this directory pointed to by SSLCACertificatePath must use a symbolic link. AND, most importantly, the name of each symbolic link must be the subject hash value of each certificate. You can find the hash value of the CA certificate by running this command:

    openssl x509 -subject_hash -in *cacert.pem*

So, if the hash value was 0434423b, in the directory pointed to by SSLCACertificatePath, you should create two symbolic links to point to the certificate in the directory:

0434423b -> /etc/apache2/certs/mypos.pem
0434423b.0 -> /etc/apache2/certs/mypos.pem

This should solve the issue. Of course, if I had used the SSLCACertificateFile, I don't think I'd experienced so much problems.

I found the explanation of SSLCACertificatePath here:

openssl's verify command page

look under -CApath directory

Not sure about the SSLCACertificateFile. It looks like it's not used to verify client certificates but to present your own server's certificate to connecting clients so that they can verify you (not the other way around). This is why it's only one file. You can't have a SSLCACertificateFile for each client's CA, it wouldn't make much sense. — ychaouche, Sep 08 '16 at 13:50

score 1 · Answer 2 · answered Nov 20 '13 at 03:45

1

I found that the "sudo update-ca-certificates --fresh" command automatically generates symbolic links from the subject hash value of each certificate to the certificate.

answered Nov 20 '13 at 03:45

Mark Miller

21
1

It's not entirely clear what you are trying to say here and what it has to do with the question. – etagenklo Nov 20 '13 at 10:53

score 0 · Answer 3 · answered Nov 29 '12 at 05:36

0

Hi Have you tried running the following command,

openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -status -cert client.pem -verify 1 -showcerts

Note the verify 1. It tells ssl how deep it needs to go, and I think this might be the issue you are having in you apache config. Try setting the apache config,

SSLVerifyDepth 1

Cheers, Dexter

answered Nov 29 '12 at 05:36

Danie

1,360
10
12

I get some more messages back but the same two lines of error still show up at the end... here is what I get back additionally. depth=1 /C=US/ST=Colorado/L=England/O=Intelitap/OU=Denver Office/CN=Tim Drake/emailAddress=tdrake@mysite.com verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 /C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/emailAddress=tdrake@mysite.com verify return:1 depth=0 /C=US/ST=Colorado/O=Intelitap/OU=Denver Office/CN=myupload.mysite.net/emailAddress=tdrake@mysite.com verify return:1 – JoJoeDad Nov 29 '12 at 05:47
Right, you might need to add your CA root certificate, to your command, > openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -status -cert client.pem -verify 1 -showcerts -CAfile filecontainingyourCA This is your error in "19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain the certificate chain could be built up using the untrusted certificates but the root could not be found locally." – Danie Nov 29 '12 at 06:03
Thanks for the suggestion. That didn't work either. – JoJoeDad Nov 29 '12 at 15:15
Could I be using the wrong certificate to generate the client certificate? mypos.pem and mypos.key are the server certificate and key... maybe I should use another set of certificate and key? – JoJoeDad Nov 29 '12 at 15:16
On the server, the error log show: Certificate Verification: Error (20): unable to get local issuer certificate – JoJoeDad Nov 29 '12 at 21:27

openssl client authentication error: tlsv1 alert unknown ca: ... SSL alert number 48

3 Answers3