Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Problem with client authentication |
|
| Author |
|
jringo5
Joined: 29 Oct 2014
Posts: 1
|
 Posted: Wed 29 Oct '14 18:59 Post subject: Problem with client authentication |
 |
|
I am setting up apache 2.4 as a service locally through localhost on a windows 2008 R2 standard server. I have set up SSL listening on port 443 and works correctly, however I am having trouble figuring out how to get apache to authenticate my CAC card.
I have downloaded the DOD certs and put them into various types of files including pem, base 64, der etc and I have yet to figure out a way to get the client certificates validated.
I have left out the information about the SSLCertificateChainFile, SSLCACertificateFile and SSLCARevocationPath as I am sure this must be where my problem is.
Can anyone please advise me as to if it's possible to get this done through localhost, and point me in the right direction on how to get past my issues. Here is the error I am getting in the error log.
[Wed Oct 29 11:37:05.675491 2014] [ssl:error] [pid xxxx:tid xxx] [client 127.0.0.1:59282] AH02039: Certificate Verification: Error (20): unable to get local issuer certificate
I am using a self created self signed server ceritficate. Here are some details from my httpd-ssl.conf file:
| Code: |
<VirtualHost _default_:443>
DocumentRoot "${SRVROOT}/htdocs"
ServerName localhost:443
ServerAdmin admin@example.com
ErrorLog "${SRVROOT}/logs/jtdi.log"
TransferLog "${SRVROOT}/logs/jtdi-Transfer.log"
SSLEngine on
SSLCertificateFile "${SRVROOT}/conf/ssl/localhost.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/localhost.key"
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLVerifyClient require
SSLVerifyDepth 10
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "${SRVROOT}/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "${SRVROOT}/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
|
Mod note: removed all not needed comments from config |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Wed 05 Nov '14 11:32 Post subject: |
|
|
You get this error when trying to use "openssl verify". It may be bad or it may be harmless. Here is the definition from the OpenSSL docs:
| Quote: | | 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate |
| Quote: | | the issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete. |
Your certificate chain needs to be complete. That is it has to include the
root CA (one with issuer and subject the same) and all intermediate
certificates of the responder certificate.
For each certificate do this:
openssl x509 -in cert.pem -subject -issuer -noout
The subject of the one you pass to -issuer should match the issuer of the one
you pass to cert. You need a root CA and the rest of the chain passed to
-CApath. |
|
| Back to top |
|
|
|
|
|
|
