1

我正在尝试在目录和证书吊销列表 (crl) 上配置具有客户端身份验证的服务器。我曾经成功地使客户端客户端身份验证有效,但现在不再有效,而且我从未成功使吊销列表有效。

这是我的配置文件:

  • 默认-ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
		DocumentRoot /var/www/html						
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined
								
		SSLEngine on
		SSLCertificateFile	/root/ca/intermediate/certs/www.example.com.cert.pem
		SSLCertificateKeyFile   /root/ca/intermediate/private/www.example.com.key.pem
		SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem
		SSLCACertificateFile    /root/ca/intermediate/certs/intermediate.cert.pem		
								
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
		    SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
			SSLOptions +StdEnvVars
		</Directory>	
	</VirtualHost>
</IfModule>

  • apache2.conf

Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5


User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

HostnameLookups Off

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Include ports.conf


<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
     Options Indexes FollowSymLinks
     AllowOverride None
     Require all granted
</Directory>

<Directory /var/www/html/testClientCert>
     Options Indexes FollowSymLinks
     AllowOverride None
     SSLVerifyClient require
     SSLVerifyDepth 10
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/default-ssl.conf

我使用以下 tuto 创建根和中间 AC:https ://jamielinux.com/docs/openssl-certificate-authority/ (第 1 部分和第 2 部分)

我使用以下命令生成客户端证书:

4 - 创建客户端证书 4.1 创建客户端密钥 openssl genrsa -des3 -out client.key 4096

4.2 Create the client csr
    openssl req -new -key client.key -out client.csr

4.3 Create the client certificate
    openssl x509 -req -days 365 -in client.csr -CA /root/ca/intermediate/certs/intermediate.cert.pem -CAkey /root/ca/intermediate/private/intermediate.key.pem -set_serial <mettre une valeur à changer à chaque cert genre à incrémenter (01 pour le premier puis 02...> -out client.crt

4.4 Convert client certificate to PKCS
    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

现在这是我的问题,似乎我的中间证书不受信任,实际上当我尝试使用 Mozilla 访问目录 /var/www/html/testClientCert 时(我在 Mozilla 中导入了中间 AC + 客户端证书),我有以下错误:

tail -f 20 /var/log/apache2/*

==> /var/log/apache2/access.log <==
127.0.0.1 - - [07/Aug/2017:20:15:48 +0200] "GET /testClientCert/gg.txt HTTP/1.1" 403 9768 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"

==> /var/log/apache2/error.log <==
[Mon Aug 07 20:15:48.741592 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02039: Certificate Verification: Error (2): unable to get issuer certificate
[Mon Aug 07 20:15:48.741670 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02261: Re-negotiation handshake failed
[Mon Aug 07 20:15:48.741687 2017] [ssl:error] [pid 2262:tid 140536910403328] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

当我使用根 AC 证书签署中间 AC 证书并且我的客户端证书由中间 AC 签名时,怎么会发生错误?

4

1 回答 1

1

如果有人需要答案,我贴出来。默认配置文件(default-ssl.conf)中的注释引导我走上正轨:

    #   Certificate Authority (CA):
    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)

所以文件 SSLCACertificateFile 必须包含根证书和中间证书。然后这条线的改变解决了我的问题:

SSLCACertificateFile /root/ca/intermediate/certs/ca-chain.cert.pem

我还没有找到 crl 的解决方案,我找到它时发布它。

于 2017-08-16T17:19:26.790 回答