Project

General

Profile

[Solved] PKI - Multiple different intermediate CAs

Added by jrodes 3 months ago

Hi, I'm using lighttpd in a PKI environment with client certificate authentication. Here is the relevant piece from my lighttpd.conf:
# mod_openssl
$SERVER["socket"] == ":443" {
  ssl.engine = "enable" 
  ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" 
  ssl.ca-file = "/etc/lighttpd/certs/ca.pem" 
  ssl.ca-dn-file = "/etc/lighttpd/certs/dn.pem" 
  ssl.verifyclient.activate = "enable" 
  ssl.verifyclient.enforce = "enable" 
  ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" 
  ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3")
  ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
}

The file ca.pem referenced by ssl.ca-file (ssl.verifyclient.ca-file in more recent versions) contains:
  • Intermediate CA certificate
  • Root CA certificate
The file dn.pem referenced by ssl.ca-dn-file (ssl.verifyclient.ca-dn-file in more recent versions) contains:
  • The same intermediate CA certificate

This configuration is working well, however I'm are running into a situation where we have a few users whose client cert was signed by a different intermediate CA. I checked the wiki, recent release notes and older forum posts, but couldn't find it documented anywhere whether or not lighttpd can be configured to allow multiple different intermediate CAs (having the same root CA). Is it possible or can lighttpd only use a single certificate chain?

If it makes any difference, I'm running lighttpd 1.4.59 in a (Linux) Docker container. (I checked lighttpd's release notes and didn't see anything that would indicate a change in functionality in more recent versions.)

Any insight would be appreciated.


Replies (5)

RE: PKI - Multiple different intermediate CAs - Added by gstrauss 3 months ago

Have you tried putting both intermediates in ssl.verifyclient.ca-dn-file (before lighttpd 1.4.60: ssl.ca-dn-file) and both intermediates plus the root CA in ssl.verifyclient.ca-file (before lighttpd 1.4.60: ssl.ca-file)?

RE: PKI - Multiple different intermediate CAs - Added by jrodes 3 months ago

I'll try it that way and let you know how it goes. Thanks.

RE: PKI - Multiple different intermediate CAs - Added by dolson 2 months ago

(I'm taking over for jrodes on the project.) Thank you for the suggestion. I tried 2 intermediates + root in the ca-file, and both intermediates in the ca-dn-file, but lighttpd gives me:
mod_openssl.c.2717) SSL: error:02001002:system library:fopen:No such file or directory /etc/lighttpd/certs/dn.pem

dn.pem is there though. If I swap the original dn.pem back in its place it works fine.

Some quick googling found sometimes open_ssl error:02001002 includes wrong format as in "Curl failed with error #58: could not load PEM client certificate, OpenSSL error error:02001002:system library:fopen:No such file or directory, (no key found, wrong pass phrase, or wrong file format?) " though I don't know it necessarily applies in my case.

Could it be lighttd just doesn't support multiple intermediate CAs?

RE: PKI - Multiple different intermediate CAs - Added by gstrauss 2 months ago

Could it be lighttd just doesn't support multiple intermediate CAs?

Could it be that you do not know what you are doing? ... Yeah, I think you should keep your "conclusions"/guesses to yourself.

mod_openssl.c.2717) SSL: error:02001002:system library:fopen:No such file or directory /etc/lighttpd/certs/dn.pem
lighttpd is reporting the error returned by the underlying openssl library function SSL_load_client_CA_file() called a few lines above mod_openssl.c line 2717.
To my reading "No such file or directory" means what it says: "No such file or directory".
Before you conclude otherwise, please verify that. You can strace lighttpd while loading your config and look for ENOENT.

RE: PKI - Multiple different intermediate CAs - Added by dolson 2 months ago

Yes, I should think how my ponderings sound before posting them. The fopen error confounded me after I verified the path and presence, yet it wouldn't open. Overwriting the same location with the original restored operation. Maybe it had something to do with doing Windows copies in external directories mounted inside the Docker Debian container. I tried it again with 2 intermediates and then 6, doing all copies in Linux, and both appear to be working. Thank you for the assistance and suggestions.

    (1-5/5)