Error "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate" on lighttpd
The ssl.ca-file reads the content, you can call any file type here, even a .txt it doesn't matter for lighttpd if the content is a certificate or a certificate chain.
When you enable ssl.verifyclient.activate, the lighttpd will request certificate that has sing by root CA certificate(s) inside of ca-file.
If I want to use a 3rd-party certificate, for example, ICP-Brazil, that is the root of all personal certificates. This certificate is signed by this entity and is the proof that you are really you and it has a legal weight in your court. ICP-Brazil has today 5 versions of their root certificate, so if the system should support legacy certificate (that could be until 6 years of validity), It means you need to put more than one certificate at ssl.ca-file. As described here : https://schnouki.net/posts/2014/08/12/lighttpd-and-ssl-client-certificates/
About the error:
(connections.c.305) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
It's happening because some reasons:
- The client doesn't have any valid certificate (that match with root certificates at ssl. CA-file)
- The connection as interrupted before the ssl handshake completes. It can be caused by a very long time to choice the certificate or enter the certificate password, or even a network restart.
- You're using a CDN network (such as cloudflare or ovh cdn), the connection between client and server should be direct to make handshake.
So I conclude that this is not really a bug to be corrected, but rather limitations of the ssl hand shaking technology.
Related videos on Youtube
LeonanCarvalho
Updated on September 18, 2022Comments
-
LeonanCarvalho over 1 year
I'm using a valid certificate but I'm not able to get client certificate. The lighttpd service fails with error:
(connections-glue.c.200) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
My config is like this one:
$SERVER["socket"] == ":443" { protocol = "https://" ssl.engine = "enable" ssl.disable-client-renegotiation = "enable" #server.name = "mywebsite.com" ssl.pemfile = "/etc/lighttpd/ssl/mywebsite.com.pem" ssl.ca-file = "/etc/lighttpd/ssl/mywebsite.com.csr" ssl.ec-curve = "secp384r1" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.honor-cipher-order = "enable" ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" # HSTS(15768000 seconds = 6 months) #setenv.add-response-header = ( # "Strict-Transport-Security" => "max-age=15768000;" #) #ask for client cert ssl.verifyclient.exportcert = "enable" ssl.verifyclient.activate = "enable" ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" ssl.verifyclient.enforce = "enable" ssl.verifyclient.depth = 3 } }
-
Steffen Ullrich about 7 yearsThe problem is not at the server but at the client which does not provide the required certificate.
-
LeonanCarvalho about 7 yearsHow it could be fixed? For other websites a certificate selector prompts for client choice an installed certificate. That's what I'm expecting to happen.
-
Steffen Ullrich about 7 yearsIf the server does not send a CA as accepted which is used to sign the certificate installed in the client then there will be no prompt. Since I neither know what certificate is installed nor which CA are sent as accepted in the handshake I cannot help further.
-
LeonanCarvalho about 7 yearsWhat are the reasons why the server is not sending the CA?
-
Steffen Ullrich about 7 yearsConfiguration issues. Maybe the CA which is used to sign the client certificate is not installed in /etc/lighttpd/ssl/mywebsite.com.csr but this is just a guess because I neither know the contents of this file and neither the CA which signed the client certificate.
-
LeonanCarvalho about 7 yearsBut in a case that I don't know the certificate of my client I can't request it, isn't it? I figured I could request the client certificate and its public key to validate its authenticity using any valid certificate.
-
-
dr_ over 5 years"this is not really a bug to be corrected, but rather limitations of the ssl hand shaking technology" What makes you conclude this?
-
LeonanCarvalho over 5 yearsThe other answer posted here (downvoted and then deleted) was about a possible bug about that message. As described in the answer it's the expected behavior and I provided 3 common reasons for this error.
-
dr_ over 5 yearsThanks for clarifying. I don't have enough rep to see deleted posts. However, I wouldn't call it a "limitation of SSL", that's rather a security measure.