1

I want Apache to verify clients' certification before authorizing the user to proceed to the website.

In Chrome my error is:

192.168.2.57 didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT`

In Firefox my error is:

An error occurred during a connection to 192.168.2.57. SSL peer was unable to negotiate an acceptable set of security parameters. 
Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT`

I think the problem is that I'm not even getting prompted to provide my client certificate. How can I enable that in both browsers?

Some other info: My root and intermediate CA's are stored on Apache. They signed my site cert and my client certs which are also store on Apache. All of these certs (root CA, intermediate CA, server, and client) have been loaded into my browser.

My Apache configuration:

<IfModule mod_ssl.c>
<VirtualHost 192.168.2.57:443>

    ServerName 192.168.2.57:443
    DocumentRoot /var/www
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined


    SSLEngine On
    SSLCertificateFile "/etc/apache2/ssl/ca/intermediate/certs/AlexSite.cert.pem"
    SSLCertificateKeyFile "/etc/apache2/ssl/ca/intermediate/private/AlexSite.key.pem"
    SSLProtocol TLSv1 TLSv1.1

    SSLCACertificateFile "/etc/apache2/ssl/ca/intermediate/certs/intermediate.cert.pem"


    <Directory /var/www/>
            Options Indexes FollowSymLinks MultiViews
            DirectoryIndex /cgi-bin/index.html

            AllowOverride None
            Order allow,deny
            Allow from all

            AddHandler mod_python .py
            PythonHandler mod_python.publisher
            PythonDebug On

            SSLVerifyClient require
            SSLVerifyDepth 1

    </Directory>

    Alias "/mysql-files/" "/var/lib/mysql-files/"
    <Directory "/var/lib/mysql-files/">
            Require all granted
            Options +Indexes
    </Directory>

    ScriptAlias /cgi-bin/ /var/www/cgi-bin/
    <Directory /var/www/cgi-bin>
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
            AddHandler cgi-script .cgi .py
    </Directory>

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>`
alexs973
  • 51
  • 1
  • 6

1 Answers1

2

I figured it out. In my Apache settings, I changed:

SSLCACertificatePath to ~~~~~~/ca/certs/ca.cert.pem

SSLVerifyDepth 1 to SSLVerifyDepth 10

And the most important thing I changed was I converted my client certificates from pem to pfx

alexs973
  • 51
  • 1
  • 6