Can't Get Any Browser to Prompt for A Client Certificate (Certificates on Apache)
I figured it out. In my Apache settings, I changed:
SSLCACertificatePath
to ~~~~~~/ca/certs/ca.cert.pem
SSLVerifyDepth 1
to SSLVerifyDepth 10
And the most important thing I changed was I converted my client certificates from pem to pfx
Related videos on Youtube
alexs973
Updated on September 18, 2022Comments
-
alexs973 over 1 year
I want Apache to verify clients' certification before authorizing the user to proceed to the website.
In Chrome my error is:
192.168.2.57 didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT`
In Firefox my error is:
An error occurred during a connection to 192.168.2.57. SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT`
I think the problem is that I'm not even getting prompted to provide my client certificate. How can I enable that in both browsers?
Some other info: My root and intermediate CA's are stored on Apache. They signed my site cert and my client certs which are also store on Apache. All of these certs (root CA, intermediate CA, server, and client) have been loaded into my browser.
My Apache configuration:
<IfModule mod_ssl.c> <VirtualHost 192.168.2.57:443> ServerName 192.168.2.57:443 DocumentRoot /var/www ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLCertificateFile "/etc/apache2/ssl/ca/intermediate/certs/AlexSite.cert.pem" SSLCertificateKeyFile "/etc/apache2/ssl/ca/intermediate/private/AlexSite.key.pem" SSLProtocol TLSv1 TLSv1.1 SSLCACertificateFile "/etc/apache2/ssl/ca/intermediate/certs/intermediate.cert.pem" <Directory /var/www/> Options Indexes FollowSymLinks MultiViews DirectoryIndex /cgi-bin/index.html AllowOverride None Order allow,deny Allow from all AddHandler mod_python .py PythonHandler mod_python.publisher PythonDebug On SSLVerifyClient require SSLVerifyDepth 1 </Directory> Alias "/mysql-files/" "/var/lib/mysql-files/" <Directory "/var/lib/mysql-files/"> Require all granted Options +Indexes </Directory> ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory /var/www/cgi-bin> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all AddHandler cgi-script .cgi .py </Directory> <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> </IfModule>`