Ssl

curl - SSL 對等點不支持它收到的類型的證書

  • September 15, 2018

嘗試將帶有客戶端證書的請求發送到 Apache 伺服器,我有以下請求和錯誤:

$ curl -X POST   https://my-server.com/dummy/user   -H 'Cache-Control: no-cache'   -H 'Content-Type: application/json'   -d '{"name_first":"Some", "name_last":"Name"}'   --insecure   -v   -i   --key-type PEM   --cert-type PEM   --cert ./my.cert.pem   --key ./my.key.pem
* About to connect() to my-server.com port 443 (#0)
*   Trying 2xx.xx.xx.xxx...
* Connected to my-server.com (2xx.xx.xx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
*       subject: CN=my-common-name,OU=IT,O=My Company,L=City,C=Country
*       start date: Jul 10 07:07:55 2018 GMT
*       expire date: Jul 10 07:17:55 2020 GMT
*       common name: my-common-name
*       issuer: CN=My-CA,DC=company,DC=local
* NSS error -12225 (SSL_ERROR_UNSUPPORTED_CERT_ALERT)
* SSL peer does not support certificates of the type it received.
* Closing connection 0
curl: (35) SSL peer does not support certificates of the type it received.

阿帕奇的配置是:

<VirtualHost *:80>
   ServerName my-server.com
   RewriteEngine on
   RewriteCond %{SERVER_PORT} 80
   RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,QSA,L]
   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</VirtualHost>
<VirtualHost *:443>
   ServerName my-server.com
   ServerAdmin admin@my-company.de
   DocumentRoot "/path/to/document-root"
   ErrorLog "/path/to/logs/my-server.com.error.log"
   TransferLog "/path/to/logs/my-server.com.access.log"
   LogLevel debug

   <FilesMatch \.php$>
       SetHandler "proxy:fcgi://127.0.0.1:9000"
   </FilesMatch>

   SSLEngine on
   SSLCertificateFile "ssl-certs/my-server.com.crt"
   SSLCertificateKeyFile "ssl-certs/my-server.com.key"
   SSLCertificateChainFile "ssl-certs/my-server.com.chain.crt"
   SSLCACertificateFile "ssl-certs/my-company.ca.cert"
   SSLVerifyClient optional_no_ca
   # Not yet put in, seems like setting this to anything does not change the behaviour
   #SSLVerifyClient require
   SSLOptions +StdEnvVars
   SSLProtocol All -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES12
8-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE
-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SH
A256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-S
HA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
   <Directory /path/to/document-root>
       <RequireAny>
           # Allow from local networks only to prevent HELIX config mistakes
           Require ip xxx.xx.x.x/16
       </RequireAny>
       AllowOverride All
   </Directory>
   SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
   AddOutputFilterByType DEFLATE text/plain text/html text/xml
   AddOutputFilterByType DEFLATE text/css text/javascript
   AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/javascript application/x-javascript
</VirtualHost>

edit1 根據評論中的要求,這裡是輸出

$ openssl x509 -in ./my.cert.pem -text -noout

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           36:00:00:00:1b:84:b3:3e:00:eb:cf:61:0e:00:00:00:00:00:1b
   Signature Algorithm: sha512WithRSAEncryption
       Issuer: DC=local, DC=my-company, CN=my-company-CA
       Validity
           Not Before: Jul 10 07:07:55 2018 GMT
           Not After : Jul 10 07:17:55 2020 GMT
       Subject: C=Country, L=City, O=my-company, OU=IT, CN=my-common-name
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (4096 bit)
               Modulus:
                   00:b4:e1:f3:e7:05:3e:44:fa:33:10:48:cb:7f:97:
                   89:66:da:48:8b:9e:5a:91:63:01:88:1b:99:66:d1:
                   9d:ed:73:72:ef:02:78:08:80:01:ce:ca:f8:ee:f2:
                   93:eb:77:e8:54:93:c3:f3:59:31:de:51:3d:7f:f7:
                   a5:ac:32:22:48:da:d5:91:a7:9c:b5:26:ab:2f:b1:
                   dd:6c:89:79:01:40:d6:d9:70:4d:04:d3:ef:bb:27:
                   28:cf:36:ca:d1:56:11:dd:21:53:0a:64:58:44:e4:
                   36:9e:f8:4a:65:38:10:1b:56:a5:94:fb:24:98:e0:
                   09:2c:8b:a7:9d:4e:81:e0:5e:68:35:c2:dc:90:f8:
                   7f:f1:0d:cc:56:1f:b6:73:d2:5f:c0:61:e4:85:5a:
                   e2:19:38:c9:b0:18:76:6c:86:87:c1:19:a9:f3:c9:
                   4e:2c:b9:c6:bd:05:ca:fc:ed:fc:b2:8d:ed:14:0f:
                   d4:b6:c1:1c:a3:44:44:b1:22:2d:75:4d:4c:30:33:
                   55:b7:47:3c:83:43:a4:7c:d9:c4:0f:3b:e5:2d:13:
                   64:5c:c9:de:8e:60:50:6b:26:d3:03:26:87:21:6c:
                   c9:98:0c:33:c3:22:b6:1b:ef:64:2b:14:aa:01:28:
                   9d:dc:c6:bb:33:b6:08:be:21:f9:0a:7b:20:81:33:
                   96:27:90:33:e9:eb:38:cc:39:73:81:0a:f2:81:31:
                   69:59:c9:74:b9:fb:fb:50:d5:7b:72:01:c9:ad:5b:
                   6a:7a:0d:ff:f5:b0:5b:d3:7e:f3:2b:6b:30:fc:69:
                   ee:4f:4a:2c:24:f5:41:31:ad:4b:87:90:69:15:a9:
                   97:6e:2d:e4:e7:0f:01:a7:06:7a:2e:24:e1:36:90:
                   ab:88:ff:54:5e:b5:58:71:9a:f1:28:48:a5:c0:ae:
                   84:fd:4d:ab:17:70:8f:e9:4b:fc:74:af:60:6f:b9:
                   e7:32:4a:38:01:95:d0:ee:c7:10:52:22:94:92:85:
                   1b:4a:30:f1:b2:e6:14:f9:74:0b:4a:d5:72:9d:94:
                   01:41:03:b3:77:fc:01:e5:65:18:ed:85:a3:a6:a4:
                   bf:55:42:7e:04:eb:cb:e8:c8:89:77:92:fc:b4:38:
                   5e:8c:f9:f6:c3:b6:f6:17:ce:25:34:d3:bc:72:fa:
                   c1:04:fe:12:34:8f:7e:d1:ee:48:93:71:bc:74:68:
                   92:f1:39:7a:4d:17:b0:5e:5d:37:ed:96:f5:07:0e:
                   97:e2:e5:09:96:21:49:89:2a:ec:fb:1b:e4:b9:95:
                   8d:a0:32:23:ef:bb:7d:15:cb:18:54:01:9e:67:b9:
                   e7:37:fd:87:77:28:24:8e:72:60:c0:48:7d:44:a1:
                   d9:f8:b5
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           1.3.6.1.4.1.311.21.7: 
               0/.'+.....7.....(...d.......Z...?.4...G...D..d...
           X509v3 Extended Key Usage: 
               TLS Web Server Authentication
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           1.3.6.1.4.1.311.21.10: 
               0.0
..+.......
           X509v3 Subject Key Identifier: 
               EF:2C:E2:02:6C:F5:45:82:27:CB:05:77:6B:F8:B1:22:1F:E7:29:20
           X509v3 Authority Key Identifier: 
               keyid:9C:FB:DD:C0:DD:16:D6:FF:98:31:22:0E:30:4A:B6:98:93:6A:21:6F

           X509v3 CRL Distribution Points: 

               Full Name:
                 URI:ldap:///CN=my-company-CA,CN=MY-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

           Authority Information Access: 
               CA Issuers - URI:ldap:///CN=my-company-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?cACertificate?base?objectClass=certificationAuthority

   Signature Algorithm: sha512WithRSAEncryption
        46:16:3f:33:93:31:87:6b:31:02:f6:a6:b1:d0:90:94:d9:3d:
        b5:a8:aa:ff:15:32:c1:2e:50:1b:41:cc:75:5c:93:76:01:87:
        a2:ce:46:18:01:4b:98:cd:36:ea:1a:6c:28:9a:40:a4:67:83:
        7f:28:c7:78:98:d1:07:be:59:06:dc:f6:b0:e5:6a:d8:6d:e0:
        a9:43:5d:5b:7b:61:1e:0d:38:af:a4:55:e0:af:db:26:16:a2:
        42:fe:27:36:07:b5:c5:e8:93:bd:e3:df:17:66:c4:b8:12:5e:
        d0:46:48:68:ac:28:2c:08:5e:52:47:ad:c0:b3:6e:69:20:e2:
        00:3b:12:5e:fa:eb:32:be:4c:f4:9e:cb:a7:a0:c6:cf:e5:bc:
        d9:de:1e:6a:c0:17:22:43:23:a9:6c:3f:48:dd:26:44:22:58:
        fa:3d:d9:61:a0:76:2b:f8:d5:ae:c1:97:4d:ba:81:25:a4:44:
        2c:8d:5d:4c:d3:05:a7:eb:b7:9b:08:3c:4c:2c:c0:9d:2a:d6:
        47:7e:96:87:60:e8:b4:9d:73:25:9b:2e:0b:23:d0:14:7c:82:
        9d:ec:07:a8:26:9a:28:e7:c1:a4:fa:e8:28:b6:44:54:81:c6:
        92:05:1b:7f:4e:a6:b9:81:ca:c6:c6:65:ab:b8:7d:32:2d:fa:
        dd:72:f0:ad:3f:c0:e5:f9:b2:dc:67:f6:9f:7e:b5:16:24:b0:
        f8:39:35:4a:49:a5:c4:44:bc:6b:f2:2e:9c:f0:29:32:bd:d3:
        70:6b:f3:a4:a6:8b:12:a2:c3:c8:0a:66:cb:50:98:91:a7:1a:
        b4:7a:52:58:fe:e5:f5:db:dd:52:c9:38:36:00:6a:4f:23:48:
        78:10:68:c8:58:7f:78:69:95:6a:3b:0e:e9:53:b7:cc:17:9e:
        57:a4:5f:6d:b5:3f:f7:10:37:b2:70:20:b4:b0:65:2b:52:f8:
        67:b2:de:57:1e:b7:5d:23:09:f4:39:66:a8:09:28:1f:58:d8:
        c2:e7:73:46:a6:5b:d1:3c:53:90:da:29:99:b9:2f:b7:82:20:
        ae:9e:41:37:ab:3c:a8:aa:a1:e4:be:0b:1a:5f:45:a5:8e:01:
        a6:cd:92:b5:7c:b1:7b:ca:80:d7:47:d5:c2:aa:b3:cd:61:f2:
        fa:91:4f:59:bf:df:06:40:c5:2b:32:d6:d4:8c:3a:a0:32:e2:
        75:6f:e8:21:13:99:9f:5e:f3:9f:33:51:0a:41:3a:af:eb:c1:
        5c:b9:22:a9:e4:80:7c:11:d0:da:59:17:e2:74:e5:6f:0a:8d:
        6a:95:c1:cb:1c:e1:8c:1c:2e:08:8c:db:7f:db:69:96:73:fe:
        5a:08:85:26:fd:5d:0d:cd

編輯 2

值得指出下面的@SteffenUllrich 評論,您可以在其中找到

openssl x509 -in ./my.cert.pem -text -noout

檢查相關證書的詳細資訊。正如答案所述,解決此問題的方法是創建一個允許客戶端身份驗證的新證書。

該證書不是客戶端證書。它只是一個伺服器證書。

您可以在輸出中看到:

           X509v3 Extended Key Usage: 
               TLS Web Server Authentication

客戶端證書將改為:

           X509v3 Extended Key Usage: 
               TLS Web Client Authentication

或者:

           X509v3 Extended Key Usage: 
               TLS Web Server Authentication, TLS Web Client Authentication

(這樣的證書可以是伺服器證書或客戶端證書)

返回您的 CA 並請求正確的客戶端證書。

引用自:https://serverfault.com/questions/923432