curl - SSL peer does not support certificates of the type it received
7,616
That cert is not a client certificate. It is only a server certificate.
You can see that in the output:
X509v3 Extended Key Usage:
TLS Web Server Authentication
A client certificate will instead say:
X509v3 Extended Key Usage:
TLS Web Client Authentication
or:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
(such a certificate can be either a server cert or a client cert)
Go back to your CA and request a proper client certificate.
Author by
Worp
Updated on September 18, 2022Comments
-
Worp over 1 year
Trying to send a request with a client certificate to an Apache server, I have the following request and error:
$ curl -X POST https://my-server.com/dummy/user -H 'Cache-Control: no-cache' -H 'Content-Type: application/json' -d '{"name_first":"Some", "name_last":"Name"}' --insecure -v -i --key-type PEM --cert-type PEM --cert ./my.cert.pem --key ./my.key.pem * About to connect() to my-server.com port 443 (#0) * Trying 2xx.xx.xx.xxx... * Connected to my-server.com (2xx.xx.xx.xxx) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate from file * subject: CN=my-common-name,OU=IT,O=My Company,L=City,C=Country * start date: Jul 10 07:07:55 2018 GMT * expire date: Jul 10 07:17:55 2020 GMT * common name: my-common-name * issuer: CN=My-CA,DC=company,DC=local * NSS error -12225 (SSL_ERROR_UNSUPPORTED_CERT_ALERT) * SSL peer does not support certificates of the type it received. * Closing connection 0 curl: (35) SSL peer does not support certificates of the type it received.
The Apache configuration is:
<VirtualHost *:80> ServerName my-server.com RewriteEngine on RewriteCond %{SERVER_PORT} 80 RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,QSA,L] Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" </VirtualHost> <VirtualHost *:443> ServerName my-server.com ServerAdmin [email protected] DocumentRoot "/path/to/document-root" ErrorLog "/path/to/logs/my-server.com.error.log" TransferLog "/path/to/logs/my-server.com.access.log" LogLevel debug <FilesMatch \.php$> SetHandler "proxy:fcgi://127.0.0.1:9000" </FilesMatch> SSLEngine on SSLCertificateFile "ssl-certs/my-server.com.crt" SSLCertificateKeyFile "ssl-certs/my-server.com.key" SSLCertificateChainFile "ssl-certs/my-server.com.chain.crt" SSLCACertificateFile "ssl-certs/my-company.ca.cert" SSLVerifyClient optional_no_ca # Not yet put in, seems like setting this to anything does not change the behaviour #SSLVerifyClient require SSLOptions +StdEnvVars SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES12 8-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE -ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SH A256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-S HA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" <Directory /path/to/document-root> <RequireAny> # Allow from local networks only to prevent HELIX config mistakes Require ip xxx.xx.x.x/16 </RequireAny> AllowOverride All </Directory> SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 AddOutputFilterByType DEFLATE text/plain text/html text/xml AddOutputFilterByType DEFLATE text/css text/javascript AddOutputFilterByType DEFLATE application/xml application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript application/x-javascript </VirtualHost>
edit1 As requested in the comments, here is the output of
$ openssl x509 -in ./my.cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 36:00:00:00:1b:84:b3:3e:00:eb:cf:61:0e:00:00:00:00:00:1b Signature Algorithm: sha512WithRSAEncryption Issuer: DC=local, DC=my-company, CN=my-company-CA Validity Not Before: Jul 10 07:07:55 2018 GMT Not After : Jul 10 07:17:55 2020 GMT Subject: C=Country, L=City, O=my-company, OU=IT, CN=my-common-name Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:b4:e1:f3:e7:05:3e:44:fa:33:10:48:cb:7f:97: 89:66:da:48:8b:9e:5a:91:63:01:88:1b:99:66:d1: 9d:ed:73:72:ef:02:78:08:80:01:ce:ca:f8:ee:f2: 93:eb:77:e8:54:93:c3:f3:59:31:de:51:3d:7f:f7: a5:ac:32:22:48:da:d5:91:a7:9c:b5:26:ab:2f:b1: dd:6c:89:79:01:40:d6:d9:70:4d:04:d3:ef:bb:27: 28:cf:36:ca:d1:56:11:dd:21:53:0a:64:58:44:e4: 36:9e:f8:4a:65:38:10:1b:56:a5:94:fb:24:98:e0: 09:2c:8b:a7:9d:4e:81:e0:5e:68:35:c2:dc:90:f8: 7f:f1:0d:cc:56:1f:b6:73:d2:5f:c0:61:e4:85:5a: e2:19:38:c9:b0:18:76:6c:86:87:c1:19:a9:f3:c9: 4e:2c:b9:c6:bd:05:ca:fc:ed:fc:b2:8d:ed:14:0f: d4:b6:c1:1c:a3:44:44:b1:22:2d:75:4d:4c:30:33: 55:b7:47:3c:83:43:a4:7c:d9:c4:0f:3b:e5:2d:13: 64:5c:c9:de:8e:60:50:6b:26:d3:03:26:87:21:6c: c9:98:0c:33:c3:22:b6:1b:ef:64:2b:14:aa:01:28: 9d:dc:c6:bb:33:b6:08:be:21:f9:0a:7b:20:81:33: 96:27:90:33:e9:eb:38:cc:39:73:81:0a:f2:81:31: 69:59:c9:74:b9:fb:fb:50:d5:7b:72:01:c9:ad:5b: 6a:7a:0d:ff:f5:b0:5b:d3:7e:f3:2b:6b:30:fc:69: ee:4f:4a:2c:24:f5:41:31:ad:4b:87:90:69:15:a9: 97:6e:2d:e4:e7:0f:01:a7:06:7a:2e:24:e1:36:90: ab:88:ff:54:5e:b5:58:71:9a:f1:28:48:a5:c0:ae: 84:fd:4d:ab:17:70:8f:e9:4b:fc:74:af:60:6f:b9: e7:32:4a:38:01:95:d0:ee:c7:10:52:22:94:92:85: 1b:4a:30:f1:b2:e6:14:f9:74:0b:4a:d5:72:9d:94: 01:41:03:b3:77:fc:01:e5:65:18:ed:85:a3:a6:a4: bf:55:42:7e:04:eb:cb:e8:c8:89:77:92:fc:b4:38: 5e:8c:f9:f6:c3:b6:f6:17:ce:25:34:d3:bc:72:fa: c1:04:fe:12:34:8f:7e:d1:ee:48:93:71:bc:74:68: 92:f1:39:7a:4d:17:b0:5e:5d:37:ed:96:f5:07:0e: 97:e2:e5:09:96:21:49:89:2a:ec:fb:1b:e4:b9:95: 8d:a0:32:23:ef:bb:7d:15:cb:18:54:01:9e:67:b9: e7:37:fd:87:77:28:24:8e:72:60:c0:48:7d:44:a1: d9:f8:b5 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.7: 0/.'+.....7.....(...d.......Z...?.4...G...D..d... X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment 1.3.6.1.4.1.311.21.10: 0.0 ..+....... X509v3 Subject Key Identifier: EF:2C:E2:02:6C:F5:45:82:27:CB:05:77:6B:F8:B1:22:1F:E7:29:20 X509v3 Authority Key Identifier: keyid:9C:FB:DD:C0:DD:16:D6:FF:98:31:22:0E:30:4A:B6:98:93:6A:21:6F X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=my-company-CA,CN=MY-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Authority Information Access: CA Issuers - URI:ldap:///CN=my-company-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?cACertificate?base?objectClass=certificationAuthority Signature Algorithm: sha512WithRSAEncryption 46:16:3f:33:93:31:87:6b:31:02:f6:a6:b1:d0:90:94:d9:3d: b5:a8:aa:ff:15:32:c1:2e:50:1b:41:cc:75:5c:93:76:01:87: a2:ce:46:18:01:4b:98:cd:36:ea:1a:6c:28:9a:40:a4:67:83: 7f:28:c7:78:98:d1:07:be:59:06:dc:f6:b0:e5:6a:d8:6d:e0: a9:43:5d:5b:7b:61:1e:0d:38:af:a4:55:e0:af:db:26:16:a2: 42:fe:27:36:07:b5:c5:e8:93:bd:e3:df:17:66:c4:b8:12:5e: d0:46:48:68:ac:28:2c:08:5e:52:47:ad:c0:b3:6e:69:20:e2: 00:3b:12:5e:fa:eb:32:be:4c:f4:9e:cb:a7:a0:c6:cf:e5:bc: d9:de:1e:6a:c0:17:22:43:23:a9:6c:3f:48:dd:26:44:22:58: fa:3d:d9:61:a0:76:2b:f8:d5:ae:c1:97:4d:ba:81:25:a4:44: 2c:8d:5d:4c:d3:05:a7:eb:b7:9b:08:3c:4c:2c:c0:9d:2a:d6: 47:7e:96:87:60:e8:b4:9d:73:25:9b:2e:0b:23:d0:14:7c:82: 9d:ec:07:a8:26:9a:28:e7:c1:a4:fa:e8:28:b6:44:54:81:c6: 92:05:1b:7f:4e:a6:b9:81:ca:c6:c6:65:ab:b8:7d:32:2d:fa: dd:72:f0:ad:3f:c0:e5:f9:b2:dc:67:f6:9f:7e:b5:16:24:b0: f8:39:35:4a:49:a5:c4:44:bc:6b:f2:2e:9c:f0:29:32:bd:d3: 70:6b:f3:a4:a6:8b:12:a2:c3:c8:0a:66:cb:50:98:91:a7:1a: b4:7a:52:58:fe:e5:f5:db:dd:52:c9:38:36:00:6a:4f:23:48: 78:10:68:c8:58:7f:78:69:95:6a:3b:0e:e9:53:b7:cc:17:9e: 57:a4:5f:6d:b5:3f:f7:10:37:b2:70:20:b4:b0:65:2b:52:f8: 67:b2:de:57:1e:b7:5d:23:09:f4:39:66:a8:09:28:1f:58:d8: c2:e7:73:46:a6:5b:d1:3c:53:90:da:29:99:b9:2f:b7:82:20: ae:9e:41:37:ab:3c:a8:aa:a1:e4:be:0b:1a:5f:45:a5:8e:01: a6:cd:92:b5:7c:b1:7b:ca:80:d7:47:d5:c2:aa:b3:cd:61:f2: fa:91:4f:59:bf:df:06:40:c5:2b:32:d6:d4:8c:3a:a0:32:e2: 75:6f:e8:21:13:99:9f:5e:f3:9f:33:51:0a:41:3a:af:eb:c1: 5c:b9:22:a9:e4:80:7c:11:d0:da:59:17:e2:74:e5:6f:0a:8d: 6a:95:c1:cb:1c:e1:8c:1c:2e:08:8c:db:7f:db:69:96:73:fe: 5a:08:85:26:fd:5d:0d:cd
edit 2
It is worth pointing to @SteffenUllrich comment below, where you find
openssl x509 -in ./my.cert.pem -text -noout
To check the details of the certificate in question. As the answer states, the solution to this problem was to create a new certificate that allows client authentication.
-
Admin almost 6 yearsYou should add details of the server's certificate to your question.
-
Admin almost 6 yearsGiven that this is an alert send by the server (received by the client) the problem is not the server certificate but the (also unknown) client certificate
my.cert.pem
. I've seen such kind of problems for example if the client certificate has not the appropriate key usage extension or maybe even the signing CA restricts the key usage and does not allow the certificate to be used as client certificate. Please include the (redacted) output ofopenssl x509 -in ./my.cert.pem -text -noout
in your question. -
Admin almost 6 yearsI have added the information about the certificate I am trying to use as a client cert.
-
Admin almost 6 yearsThank you guys for replying, your hints were definitely needed to get to the solution of this problem. Specifically the hint to openssl x509 was helpful. Upvoted!
-
-
Worp almost 6 yearsThanks for clarifying. I will check back with my CA and report the result!
-
Worp almost 6 yearsThis is very much the answer. Thank you for explaining!