3

I have an issue with SSLRequire file expression in Apache 2.4 in that it doesn't seem to be finding or be able to access the file in question.

Here's the code excerpt:

<Location />    
                SSLOptions +StrictRequire
                SSLRequireSSL
                SSLRequire (%{SSL_CLIENT_CERT} eq file("<full_path_to_PEM_file>"))
</Location>

And when I try to access the site, I get this error in logs:

[Tue Jun 27 13:20:02.358478 2017] [ssl:error] [pid 18661:tid 47040594310912] [client 82.69.3.205:58275] Evaluation of expression from 20-mod_ssl.conf:240 failed: Cannot open file <full_path_to_PEM_file>, referer: https://example.com/

The permissions are correct and the file definitely exists, so I am not sure what else to do here.

The PEM file is a valid public certificate with "BEGIN CERTIFICATE" and "END CERTIFICATE" lines at start and end...

Any ideas?

Captain Jack
  • 144
  • 13

1 Answers1

0

Your VHost should look like:

<VirtualHost *:443>
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/html/example

    ServerName example.com

    SSLEngine on

    SSLCertificateFile /etc/ssl/CA/example_com.crt
    SSLCertificateKeyFile /etc/ssl/CA/example.key

    # https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1203&nav=0,96,1,95
    SSLCertificateChainFile /etc/ssl/CA/chain_example_with_Positive.pem

    SSLHonorCipherOrder On
    SSLProtocol -all +TLSv1 +SSLv3
    SSLCipherSuite RC4-SHA:HIGH:!MD5:!aNULL:!EDH:!ADH
    SSLInsecureRenegotiation off

    <Directory /example/>
            Options Indexes SymLinksIfOwnerMatch
            AllowOverride All
            Require all granted
    </Directory>
    <Directory /var/www/html/example/>
            Options Indexes SymLinksIfOwnerMatch
            AllowOverride All
            Order allow,deny
            allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown    
</VirtualHost>
EvgenyKolyakov
  • 3,310
  • 2
  • 21
  • 31
  • Thanks but this is not what I am asking. I already have public and private keys installed as per your answer - this is not an issue. I am trying to add an additional layer of authentication for the client to supply their certificate before they can connect. This is done through the SSLRequire options coupled with SSLOptions +StrictRequire. My question is regarding the file expression, which doesn't seem to be working with SSLRequire... – Captain Jack Jun 27 '17 at 19:05
  • ok... did you notice that the error says `Cannot open file ` ? which means there's simply no such file named `Cannot open file ` – EvgenyKolyakov Jun 27 '17 at 19:39
  • Yes, like I said in the original post ..."The permissions are correct and the file definitely exists" – Captain Jack Jun 28 '17 at 08:11
  • Sir... if you want a solution to your specific question, you need t provide the exact output... Don't show passwords... but the rest.. – EvgenyKolyakov Jun 28 '17 at 08:13
  • But again, the output is in the original question - there's nothing else to show .. – Captain Jack Jun 28 '17 at 14:55