0

Trying to send a request with a client certificate to an Apache server, I have the following request and error:

$ curl -X POST   https://my-server.com/dummy/user   -H 'Cache-Control: no-cache'   -H 'Content-Type: application/json'   -d '{"name_first":"Some", "name_last":"Name"}'   --insecure   -v   -i   --key-type PEM   --cert-type PEM   --cert ./my.cert.pem   --key ./my.key.pem
* About to connect() to my-server.com port 443 (#0)
*   Trying 2xx.xx.xx.xxx...
* Connected to my-server.com (2xx.xx.xx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
*       subject: CN=my-common-name,OU=IT,O=My Company,L=City,C=Country
*       start date: Jul 10 07:07:55 2018 GMT
*       expire date: Jul 10 07:17:55 2020 GMT
*       common name: my-common-name
*       issuer: CN=My-CA,DC=company,DC=local
* NSS error -12225 (SSL_ERROR_UNSUPPORTED_CERT_ALERT)
* SSL peer does not support certificates of the type it received.
* Closing connection 0
curl: (35) SSL peer does not support certificates of the type it received.

The Apache configuration is:

<VirtualHost *:80>
    ServerName my-server.com
    RewriteEngine on
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,QSA,L]
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</VirtualHost>
<VirtualHost *:443>
    ServerName my-server.com
    ServerAdmin admin@my-company.de
    DocumentRoot "/path/to/document-root"
    ErrorLog "/path/to/logs/my-server.com.error.log"
    TransferLog "/path/to/logs/my-server.com.access.log"
    LogLevel debug

    <FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000"
    </FilesMatch>

    SSLEngine on
    SSLCertificateFile "ssl-certs/my-server.com.crt"
    SSLCertificateKeyFile "ssl-certs/my-server.com.key"
    SSLCertificateChainFile "ssl-certs/my-server.com.chain.crt"
    SSLCACertificateFile "ssl-certs/my-company.ca.cert"
    SSLVerifyClient optional_no_ca
    # Not yet put in, seems like setting this to anything does not change the behaviour
    #SSLVerifyClient require
    SSLOptions +StdEnvVars
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES12
8-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE
-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SH
A256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-S
HA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
    <Directory /path/to/document-root>
        <RequireAny>
            # Allow from local networks only to prevent HELIX config mistakes
            Require ip xxx.xx.x.x/16
        </RequireAny>
        AllowOverride All
    </Directory>
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    AddOutputFilterByType DEFLATE text/plain text/html text/xml
    AddOutputFilterByType DEFLATE text/css text/javascript
    AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript application/x-javascript
</VirtualHost>

edit1 As requested in the comments, here is the output of

$ openssl x509 -in ./my.cert.pem -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:00:00:00:1b:84:b3:3e:00:eb:cf:61:0e:00:00:00:00:00:1b
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: DC=local, DC=my-company, CN=my-company-CA
        Validity
            Not Before: Jul 10 07:07:55 2018 GMT
            Not After : Jul 10 07:17:55 2020 GMT
        Subject: C=Country, L=City, O=my-company, OU=IT, CN=my-common-name
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b4:e1:f3:e7:05:3e:44:fa:33:10:48:cb:7f:97:
                    89:66:da:48:8b:9e:5a:91:63:01:88:1b:99:66:d1:
                    9d:ed:73:72:ef:02:78:08:80:01:ce:ca:f8:ee:f2:
                    93:eb:77:e8:54:93:c3:f3:59:31:de:51:3d:7f:f7:
                    a5:ac:32:22:48:da:d5:91:a7:9c:b5:26:ab:2f:b1:
                    dd:6c:89:79:01:40:d6:d9:70:4d:04:d3:ef:bb:27:
                    28:cf:36:ca:d1:56:11:dd:21:53:0a:64:58:44:e4:
                    36:9e:f8:4a:65:38:10:1b:56:a5:94:fb:24:98:e0:
                    09:2c:8b:a7:9d:4e:81:e0:5e:68:35:c2:dc:90:f8:
                    7f:f1:0d:cc:56:1f:b6:73:d2:5f:c0:61:e4:85:5a:
                    e2:19:38:c9:b0:18:76:6c:86:87:c1:19:a9:f3:c9:
                    4e:2c:b9:c6:bd:05:ca:fc:ed:fc:b2:8d:ed:14:0f:
                    d4:b6:c1:1c:a3:44:44:b1:22:2d:75:4d:4c:30:33:
                    55:b7:47:3c:83:43:a4:7c:d9:c4:0f:3b:e5:2d:13:
                    64:5c:c9:de:8e:60:50:6b:26:d3:03:26:87:21:6c:
                    c9:98:0c:33:c3:22:b6:1b:ef:64:2b:14:aa:01:28:
                    9d:dc:c6:bb:33:b6:08:be:21:f9:0a:7b:20:81:33:
                    96:27:90:33:e9:eb:38:cc:39:73:81:0a:f2:81:31:
                    69:59:c9:74:b9:fb:fb:50:d5:7b:72:01:c9:ad:5b:
                    6a:7a:0d:ff:f5:b0:5b:d3:7e:f3:2b:6b:30:fc:69:
                    ee:4f:4a:2c:24:f5:41:31:ad:4b:87:90:69:15:a9:
                    97:6e:2d:e4:e7:0f:01:a7:06:7a:2e:24:e1:36:90:
                    ab:88:ff:54:5e:b5:58:71:9a:f1:28:48:a5:c0:ae:
                    84:fd:4d:ab:17:70:8f:e9:4b:fc:74:af:60:6f:b9:
                    e7:32:4a:38:01:95:d0:ee:c7:10:52:22:94:92:85:
                    1b:4a:30:f1:b2:e6:14:f9:74:0b:4a:d5:72:9d:94:
                    01:41:03:b3:77:fc:01:e5:65:18:ed:85:a3:a6:a4:
                    bf:55:42:7e:04:eb:cb:e8:c8:89:77:92:fc:b4:38:
                    5e:8c:f9:f6:c3:b6:f6:17:ce:25:34:d3:bc:72:fa:
                    c1:04:fe:12:34:8f:7e:d1:ee:48:93:71:bc:74:68:
                    92:f1:39:7a:4d:17:b0:5e:5d:37:ed:96:f5:07:0e:
                    97:e2:e5:09:96:21:49:89:2a:ec:fb:1b:e4:b9:95:
                    8d:a0:32:23:ef:bb:7d:15:cb:18:54:01:9e:67:b9:
                    e7:37:fd:87:77:28:24:8e:72:60:c0:48:7d:44:a1:
                    d9:f8:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.7: 
                0/.'+.....7.....(...d.......Z...?.4...G...D..d...
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            1.3.6.1.4.1.311.21.10: 
                0.0
..+.......
            X509v3 Subject Key Identifier: 
                EF:2C:E2:02:6C:F5:45:82:27:CB:05:77:6B:F8:B1:22:1F:E7:29:20
            X509v3 Authority Key Identifier: 
                keyid:9C:FB:DD:C0:DD:16:D6:FF:98:31:22:0E:30:4A:B6:98:93:6A:21:6F

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:ldap:///CN=my-company-CA,CN=MY-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=my-company-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: sha512WithRSAEncryption
         46:16:3f:33:93:31:87:6b:31:02:f6:a6:b1:d0:90:94:d9:3d:
         b5:a8:aa:ff:15:32:c1:2e:50:1b:41:cc:75:5c:93:76:01:87:
         a2:ce:46:18:01:4b:98:cd:36:ea:1a:6c:28:9a:40:a4:67:83:
         7f:28:c7:78:98:d1:07:be:59:06:dc:f6:b0:e5:6a:d8:6d:e0:
         a9:43:5d:5b:7b:61:1e:0d:38:af:a4:55:e0:af:db:26:16:a2:
         42:fe:27:36:07:b5:c5:e8:93:bd:e3:df:17:66:c4:b8:12:5e:
         d0:46:48:68:ac:28:2c:08:5e:52:47:ad:c0:b3:6e:69:20:e2:
         00:3b:12:5e:fa:eb:32:be:4c:f4:9e:cb:a7:a0:c6:cf:e5:bc:
         d9:de:1e:6a:c0:17:22:43:23:a9:6c:3f:48:dd:26:44:22:58:
         fa:3d:d9:61:a0:76:2b:f8:d5:ae:c1:97:4d:ba:81:25:a4:44:
         2c:8d:5d:4c:d3:05:a7:eb:b7:9b:08:3c:4c:2c:c0:9d:2a:d6:
         47:7e:96:87:60:e8:b4:9d:73:25:9b:2e:0b:23:d0:14:7c:82:
         9d:ec:07:a8:26:9a:28:e7:c1:a4:fa:e8:28:b6:44:54:81:c6:
         92:05:1b:7f:4e:a6:b9:81:ca:c6:c6:65:ab:b8:7d:32:2d:fa:
         dd:72:f0:ad:3f:c0:e5:f9:b2:dc:67:f6:9f:7e:b5:16:24:b0:
         f8:39:35:4a:49:a5:c4:44:bc:6b:f2:2e:9c:f0:29:32:bd:d3:
         70:6b:f3:a4:a6:8b:12:a2:c3:c8:0a:66:cb:50:98:91:a7:1a:
         b4:7a:52:58:fe:e5:f5:db:dd:52:c9:38:36:00:6a:4f:23:48:
         78:10:68:c8:58:7f:78:69:95:6a:3b:0e:e9:53:b7:cc:17:9e:
         57:a4:5f:6d:b5:3f:f7:10:37:b2:70:20:b4:b0:65:2b:52:f8:
         67:b2:de:57:1e:b7:5d:23:09:f4:39:66:a8:09:28:1f:58:d8:
         c2:e7:73:46:a6:5b:d1:3c:53:90:da:29:99:b9:2f:b7:82:20:
         ae:9e:41:37:ab:3c:a8:aa:a1:e4:be:0b:1a:5f:45:a5:8e:01:
         a6:cd:92:b5:7c:b1:7b:ca:80:d7:47:d5:c2:aa:b3:cd:61:f2:
         fa:91:4f:59:bf:df:06:40:c5:2b:32:d6:d4:8c:3a:a0:32:e2:
         75:6f:e8:21:13:99:9f:5e:f3:9f:33:51:0a:41:3a:af:eb:c1:
         5c:b9:22:a9:e4:80:7c:11:d0:da:59:17:e2:74:e5:6f:0a:8d:
         6a:95:c1:cb:1c:e1:8c:1c:2e:08:8c:db:7f:db:69:96:73:fe:
         5a:08:85:26:fd:5d:0d:cd

edit 2

It is worth pointing to @SteffenUllrich comment below, where you find

openssl x509 -in ./my.cert.pem -text -noout

To check the details of the certificate in question. As the answer states, the solution to this problem was to create a new certificate that allows client authentication.

Worp
  • 327
  • 1
  • 4
  • 15
  • 2
    You should add details of the server's certificate to your question. – garethTheRed Jul 25 '18 at 12:01
  • 1
    Given that this is an alert send by the server (received by the client) the problem is not the server certificate but the (also unknown) client certificate`my.cert.pem`. I've seen such kind of problems for example if the client certificate has not the appropriate key usage extension or maybe even the signing CA restricts the key usage and does not allow the certificate to be used as client certificate. Please include the (redacted) output of `openssl x509 -in ./my.cert.pem -text -noout` in your question. – Steffen Ullrich Jul 25 '18 at 12:43
  • I have added the information about the certificate I am trying to use as a client cert. – Worp Jul 25 '18 at 12:58
  • Thank you guys for replying, your hints were definitely needed to get to the solution of this problem. Specifically the hint to openssl x509 was helpful. Upvoted! – Worp Jul 26 '18 at 07:31

1 Answers1

1

That cert is not a client certificate. It is only a server certificate.

You can see that in the output:

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication

A client certificate will instead say:

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication

or:

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication

(such a certificate can be either a server cert or a client cert)

Go back to your CA and request a proper client certificate.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972