Apache-2.2

無法讓任何瀏覽器提示輸入客戶端證書(Apache 上的證書)

  • April 7, 2017

我希望 Apache 在授權使用者繼續訪問網站之前驗證客戶的認證。

在 Chrome 中,我的錯誤是:

192.168.2.57 didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT`

在 Firefox 中,我的錯誤是:

An error occurred during a connection to 192.168.2.57. SSL peer was unable to negotiate an acceptable set of security parameters. 
Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT`

我認為問題在於我什至沒有被提示提供我的客戶證書。如何在兩個瀏覽器中啟用它?

其他一些資訊:我的根 CA 和中間 CA 儲存在 Apache 上。他們簽署了我的站點證書和我的客戶端證書,這些證書也儲存在 Apache 上。所有這些證書(根 CA、中間 CA、伺服器和客戶端)都已載入到我的瀏覽器中。

我的 Apache 配置:

<IfModule mod_ssl.c>
<VirtualHost 192.168.2.57:443>

   ServerName 192.168.2.57:443
   DocumentRoot /var/www
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined


   SSLEngine On
   SSLCertificateFile "/etc/apache2/ssl/ca/intermediate/certs/AlexSite.cert.pem"
   SSLCertificateKeyFile "/etc/apache2/ssl/ca/intermediate/private/AlexSite.key.pem"
   SSLProtocol TLSv1 TLSv1.1

   SSLCACertificateFile "/etc/apache2/ssl/ca/intermediate/certs/intermediate.cert.pem"


   <Directory /var/www/>
           Options Indexes FollowSymLinks MultiViews
           DirectoryIndex /cgi-bin/index.html

           AllowOverride None
           Order allow,deny
           Allow from all

           AddHandler mod_python .py
           PythonHandler mod_python.publisher
           PythonDebug On

           SSLVerifyClient require
           SSLVerifyDepth 1

   </Directory>

   Alias "/mysql-files/" "/var/lib/mysql-files/"
   <Directory "/var/lib/mysql-files/">
           Require all granted
           Options +Indexes
   </Directory>

   ScriptAlias /cgi-bin/ /var/www/cgi-bin/
   <Directory /var/www/cgi-bin>
           AllowOverride None
           Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
           Order allow,deny
           Allow from all
           AddHandler cgi-script .cgi .py
   </Directory>

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
           SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory /usr/lib/cgi-bin>
           SSLOptions +StdEnvVars
   </Directory>

   BrowserMatch "MSIE [2-6]" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>`

我想到了。在我的 Apache 設置中,我更改了:

SSLCACertificatePath~~~~~~/ca/certs/ca.cert.pem

SSLVerifyDepth 1SSLVerifyDepth 10

我改變的最重要的事情是我將我的客戶端證書從 pem 轉換為 pfx

引用自:https://serverfault.com/questions/843299