Apache-2.2
無法讓任何瀏覽器提示輸入客戶端證書(Apache 上的證書)
我希望 Apache 在授權使用者繼續訪問網站之前驗證客戶的認證。
在 Chrome 中,我的錯誤是:
192.168.2.57 didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT`
在 Firefox 中,我的錯誤是:
An error occurred during a connection to 192.168.2.57. SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT`
我認為問題在於我什至沒有被提示提供我的客戶證書。如何在兩個瀏覽器中啟用它?
其他一些資訊:我的根 CA 和中間 CA 儲存在 Apache 上。他們簽署了我的站點證書和我的客戶端證書,這些證書也儲存在 Apache 上。所有這些證書(根 CA、中間 CA、伺服器和客戶端)都已載入到我的瀏覽器中。
我的 Apache 配置:
<IfModule mod_ssl.c> <VirtualHost 192.168.2.57:443> ServerName 192.168.2.57:443 DocumentRoot /var/www ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLCertificateFile "/etc/apache2/ssl/ca/intermediate/certs/AlexSite.cert.pem" SSLCertificateKeyFile "/etc/apache2/ssl/ca/intermediate/private/AlexSite.key.pem" SSLProtocol TLSv1 TLSv1.1 SSLCACertificateFile "/etc/apache2/ssl/ca/intermediate/certs/intermediate.cert.pem" <Directory /var/www/> Options Indexes FollowSymLinks MultiViews DirectoryIndex /cgi-bin/index.html AllowOverride None Order allow,deny Allow from all AddHandler mod_python .py PythonHandler mod_python.publisher PythonDebug On SSLVerifyClient require SSLVerifyDepth 1 </Directory> Alias "/mysql-files/" "/var/lib/mysql-files/" <Directory "/var/lib/mysql-files/"> Require all granted Options +Indexes </Directory> ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory /var/www/cgi-bin> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all AddHandler cgi-script .cgi .py </Directory> <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> </IfModule>`
我想到了。在我的 Apache 設置中,我更改了:
SSLCACertificatePath
到~~~~~~/ca/certs/ca.cert.pem
SSLVerifyDepth 1
到SSLVerifyDepth 10
我改變的最重要的事情是我將我的客戶端證書從 pem 轉換為 pfx