curl - SSL-узел не поддерживает сертификаты того типа, который он получил
Пытаясь отправить запрос с сертификатом клиента на сервер Apache, у меня появляется следующий запрос и ошибка:
$ curl -X POST https://my-server.com/dummy/user -H 'Cache-Control: no-cache' -H 'Content-Type: application/json' -d '{"name_first":"Some", "name_last":"Name"}' --insecure -v -i --key-type PEM --cert-type PEM --cert ./my.cert.pem --key ./my.key.pem
* About to connect() to my-server.com port 443 (#0)
* Trying 2xx.xx.xx.xxx...
* Connected to my-server.com (2xx.xx.xx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
* subject: CN=my-common-name,OU=IT,O=My Company,L=City,C=Country
* start date: Jul 10 07:07:55 2018 GMT
* expire date: Jul 10 07:17:55 2020 GMT
* common name: my-common-name
* issuer: CN=My-CA,DC=company,DC=local
* NSS error -12225 (SSL_ERROR_UNSUPPORTED_CERT_ALERT)
* SSL peer does not support certificates of the type it received.
* Closing connection 0
curl: (35) SSL peer does not support certificates of the type it received.
Конфигурация Apache:
<VirtualHost *:80>
ServerName my-server.com
RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,QSA,L]
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</VirtualHost>
<VirtualHost *:443>
ServerName my-server.com
ServerAdmin admin@my-company.de
DocumentRoot "/path/to/document-root"
ErrorLog "/path/to/logs/my-server.com.error.log"
TransferLog "/path/to/logs/my-server.com.access.log"
LogLevel debug
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
SSLEngine on
SSLCertificateFile "ssl-certs/my-server.com.crt"
SSLCertificateKeyFile "ssl-certs/my-server.com.key"
SSLCertificateChainFile "ssl-certs/my-server.com.chain.crt"
SSLCACertificateFile "ssl-certs/my-company.ca.cert"
SSLVerifyClient optional_no_ca
# Not yet put in, seems like setting this to anything does not change the behaviour
#SSLVerifyClient require
SSLOptions +StdEnvVars
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES12
8-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE
-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SH
A256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-S
HA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
<Directory /path/to/document-root>
<RequireAny>
# Allow from local networks only to prevent HELIX config mistakes
Require ip xxx.xx.x.x/16
</RequireAny>
AllowOverride All
</Directory>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
AddOutputFilterByType DEFLATE text/plain text/html text/xml
AddOutputFilterByType DEFLATE text/css text/javascript
AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript application/x-javascript
</VirtualHost>
edit1 Как и просили в комментариях, здесь вывод
$ openssl x509 -in ./my.cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
36:00:00:00:1b:84:b3:3e:00:eb:cf:61:0e:00:00:00:00:00:1b
Signature Algorithm: sha512WithRSAEncryption
Issuer: DC=local, DC=my-company, CN=my-company-CA
Validity
Not Before: Jul 10 07:07:55 2018 GMT
Not After : Jul 10 07:17:55 2020 GMT
Subject: C=Country, L=City, O=my-company, OU=IT, CN=my-common-name
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b4:e1:f3:e7:05:3e:44:fa:33:10:48:cb:7f:97:
89:66:da:48:8b:9e:5a:91:63:01:88:1b:99:66:d1:
9d:ed:73:72:ef:02:78:08:80:01:ce:ca:f8:ee:f2:
93:eb:77:e8:54:93:c3:f3:59:31:de:51:3d:7f:f7:
a5:ac:32:22:48:da:d5:91:a7:9c:b5:26:ab:2f:b1:
dd:6c:89:79:01:40:d6:d9:70:4d:04:d3:ef:bb:27:
28:cf:36:ca:d1:56:11:dd:21:53:0a:64:58:44:e4:
36:9e:f8:4a:65:38:10:1b:56:a5:94:fb:24:98:e0:
09:2c:8b:a7:9d:4e:81:e0:5e:68:35:c2:dc:90:f8:
7f:f1:0d:cc:56:1f:b6:73:d2:5f:c0:61:e4:85:5a:
e2:19:38:c9:b0:18:76:6c:86:87:c1:19:a9:f3:c9:
4e:2c:b9:c6:bd:05:ca:fc:ed:fc:b2:8d:ed:14:0f:
d4:b6:c1:1c:a3:44:44:b1:22:2d:75:4d:4c:30:33:
55:b7:47:3c:83:43:a4:7c:d9:c4:0f:3b:e5:2d:13:
64:5c:c9:de:8e:60:50:6b:26:d3:03:26:87:21:6c:
c9:98:0c:33:c3:22:b6:1b:ef:64:2b:14:aa:01:28:
9d:dc:c6:bb:33:b6:08:be:21:f9:0a:7b:20:81:33:
96:27:90:33:e9:eb:38:cc:39:73:81:0a:f2:81:31:
69:59:c9:74:b9:fb:fb:50:d5:7b:72:01:c9:ad:5b:
6a:7a:0d:ff:f5:b0:5b:d3:7e:f3:2b:6b:30:fc:69:
ee:4f:4a:2c:24:f5:41:31:ad:4b:87:90:69:15:a9:
97:6e:2d:e4:e7:0f:01:a7:06:7a:2e:24:e1:36:90:
ab:88:ff:54:5e:b5:58:71:9a:f1:28:48:a5:c0:ae:
84:fd:4d:ab:17:70:8f:e9:4b:fc:74:af:60:6f:b9:
e7:32:4a:38:01:95:d0:ee:c7:10:52:22:94:92:85:
1b:4a:30:f1:b2:e6:14:f9:74:0b:4a:d5:72:9d:94:
01:41:03:b3:77:fc:01:e5:65:18:ed:85:a3:a6:a4:
bf:55:42:7e:04:eb:cb:e8:c8:89:77:92:fc:b4:38:
5e:8c:f9:f6:c3:b6:f6:17:ce:25:34:d3:bc:72:fa:
c1:04:fe:12:34:8f:7e:d1:ee:48:93:71:bc:74:68:
92:f1:39:7a:4d:17:b0:5e:5d:37:ed:96:f5:07:0e:
97:e2:e5:09:96:21:49:89:2a:ec:fb:1b:e4:b9:95:
8d:a0:32:23:ef:bb:7d:15:cb:18:54:01:9e:67:b9:
e7:37:fd:87:77:28:24:8e:72:60:c0:48:7d:44:a1:
d9:f8:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.7:
0/.'+.....7.....(...d.......Z...?.4...G...D..d...
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.10:
0.0
..+.......
X509v3 Subject Key Identifier:
EF:2C:E2:02:6C:F5:45:82:27:CB:05:77:6B:F8:B1:22:1F:E7:29:20
X509v3 Authority Key Identifier:
keyid:9C:FB:DD:C0:DD:16:D6:FF:98:31:22:0E:30:4A:B6:98:93:6A:21:6F
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=my-company-CA,CN=MY-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:ldap:///CN=my-company-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?cACertificate?base?objectClass=certificationAuthority
Signature Algorithm: sha512WithRSAEncryption
46:16:3f:33:93:31:87:6b:31:02:f6:a6:b1:d0:90:94:d9:3d:
b5:a8:aa:ff:15:32:c1:2e:50:1b:41:cc:75:5c:93:76:01:87:
a2:ce:46:18:01:4b:98:cd:36:ea:1a:6c:28:9a:40:a4:67:83:
7f:28:c7:78:98:d1:07:be:59:06:dc:f6:b0:e5:6a:d8:6d:e0:
a9:43:5d:5b:7b:61:1e:0d:38:af:a4:55:e0:af:db:26:16:a2:
42:fe:27:36:07:b5:c5:e8:93:bd:e3:df:17:66:c4:b8:12:5e:
d0:46:48:68:ac:28:2c:08:5e:52:47:ad:c0:b3:6e:69:20:e2:
00:3b:12:5e:fa:eb:32:be:4c:f4:9e:cb:a7:a0:c6:cf:e5:bc:
d9:de:1e:6a:c0:17:22:43:23:a9:6c:3f:48:dd:26:44:22:58:
fa:3d:d9:61:a0:76:2b:f8:d5:ae:c1:97:4d:ba:81:25:a4:44:
2c:8d:5d:4c:d3:05:a7:eb:b7:9b:08:3c:4c:2c:c0:9d:2a:d6:
47:7e:96:87:60:e8:b4:9d:73:25:9b:2e:0b:23:d0:14:7c:82:
9d:ec:07:a8:26:9a:28:e7:c1:a4:fa:e8:28:b6:44:54:81:c6:
92:05:1b:7f:4e:a6:b9:81:ca:c6:c6:65:ab:b8:7d:32:2d:fa:
dd:72:f0:ad:3f:c0:e5:f9:b2:dc:67:f6:9f:7e:b5:16:24:b0:
f8:39:35:4a:49:a5:c4:44:bc:6b:f2:2e:9c:f0:29:32:bd:d3:
70:6b:f3:a4:a6:8b:12:a2:c3:c8:0a:66:cb:50:98:91:a7:1a:
b4:7a:52:58:fe:e5:f5:db:dd:52:c9:38:36:00:6a:4f:23:48:
78:10:68:c8:58:7f:78:69:95:6a:3b:0e:e9:53:b7:cc:17:9e:
57:a4:5f:6d:b5:3f:f7:10:37:b2:70:20:b4:b0:65:2b:52:f8:
67:b2:de:57:1e:b7:5d:23:09:f4:39:66:a8:09:28:1f:58:d8:
c2:e7:73:46:a6:5b:d1:3c:53:90:da:29:99:b9:2f:b7:82:20:
ae:9e:41:37:ab:3c:a8:aa:a1:e4:be:0b:1a:5f:45:a5:8e:01:
a6:cd:92:b5:7c:b1:7b:ca:80:d7:47:d5:c2:aa:b3:cd:61:f2:
fa:91:4f:59:bf:df:06:40:c5:2b:32:d6:d4:8c:3a:a0:32:e2:
75:6f:e8:21:13:99:9f:5e:f3:9f:33:51:0a:41:3a:af:eb:c1:
5c:b9:22:a9:e4:80:7c:11:d0:da:59:17:e2:74:e5:6f:0a:8d:
6a:95:c1:cb:1c:e1:8c:1c:2e:08:8c:db:7f:db:69:96:73:fe:
5a:08:85:26:fd:5d:0d:cd
редактировать 2
Стоит указать на комментарий @SteffenUllrich ниже, где вы найдете
openssl x509 -in ./my.cert.pem -text -noout
Чтобы проверить детали сертификата в вопросе. Как говорится в ответе, решением этой проблемы было создание нового сертификата, который позволяет аутентификацию клиента.
1 ответ
Решение
Этот сертификат не является клиентским сертификатом. Это только сертификат сервера.
Вы можете увидеть это в выводе:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Сертификат клиента вместо этого скажет:
X509v3 Extended Key Usage:
TLS Web Client Authentication
или же:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
(таким сертификатом может быть либо сертификат сервера, либо сертификат клиента)
Вернитесь в свой ЦС и запросите соответствующий сертификат клиента.