Назад | Перейти на главную страницу

httpd и curl: настройте https-соединение для проверки клиента формы файла p12

Я развертываю httpd. Мне нужно настроить ssl, чтобы проверить клиента в соответствии с его сертификатом клиента.

Для этого у меня есть p12 файл, содержащий закрытый ключ, сертификат клиента и сертификаты цепочки CA:

Сертификаты CA цепочки:

➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----

Сертификат клиента:

➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----

Приватный ключ клиента:

➜ ~ openssl pkcs12 -in fitxers.p12 -nocerts
Bag Attributes
    ...
-----BEGIN PRIVATE KEY-----
$$$$$$$...
-----END PRIVATE KEY-----

Чтобы разделить это p12 файл в отдельные файлы сертификата и ключа:

➜ ~ openssl pkcs12 -in container.p12 -nocerts -out client.key.pem
➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys -out client.crt
➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys -out cacerts.crt

Итак, с этого момента я настроил свой httpd как:

SSLEngine On
SSLCACertificateFile /usr/local/apache2/conf/cacerts.crt
...

Я пытаюсь установить соединение с помощью curl:

curl --cert client.crt --key client.key.pem https://localhost:8080/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

В журналы httpd-сервера я получаю:

[Tue Sep 17 11:17:28.144219 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01964: Connection to child 68 established (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.148318 2019] [ssl:debug] [pid 8:tid 139871525332736] ssl_engine_kernel.c(2375): [client 10.0.2.4:52926] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Tue Sep 17 11:17:28.155178 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.155569 2019] [ssl:info] [pid 8:tid 139871525332736] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Tue Sep 17 11:17:28.155609 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01998: Connection closed to child 68 with abortive shutdown (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114529 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01964: Connection to child 69 established (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114667 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114674 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114679 2019] [core:debug] [pid 8:tid 139871448463104] protocol.c(2314): [client 10.255.0.2:48060] AH03155: select protocol from , choices=h2,http/1.1 for server 10.0.2.47
[Tue Sep 17 11:19:01.117705 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.117827 2019] [ssl:info] [pid 8:tid 139871448463104] SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)
[Tue Sep 17 11:19:01.117858 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01998: Connection closed to child 69 with abortive shutdown (server 10.0.2.47:443)

Я также пробовал использовать cacerts.pem с участием curl --cacert ./cacerts.pem --cert client.crt --key client.key.pem https://localhost:8080/token -v

Любые идеи?