Lighttpd SSL Secure Two-Way Authentication Error
Added by liumingxia over 3 years ago
Hi all,
I am setting up a SSL configuration with lighttpd,I use openssl to create a public/private key pair for a CA, then use it to generate a certificate signing request (CSR), and then sign it with the server and client certificate, resulting in a self-signed certificate.
the step is as follows
1.$ mkdir CA && cd CA
2.$mkdir certs crl crlnumber demoCA newcerts private$touch serial$touch index.txt$echo 00 > serial
2. copy default openssl.cnf to ../CA and change the value of dir
3. Generate a private RSA key for the CA$openssl genrsa -out ca.key 2048
4.Use the generated private key to sign itself.$openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config openssl.cnf
-------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:pingpu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA1
Organizational Unit Name (eg, section) []:CA10
Common Name (e.g. server FQDN or YOUR name) []:CA100
Email Address []:111@111.com
5.Move the CA key and certificate files into place in the CA directory.The names and locations of the files are specified in the openssl.cnf file.$mv ca.crt ./certs$mv ca.key ./private
6.Generate a private key for the web server.$openssl genrsa -out server.key 2048
7.Create a CSR for the web server's private key.$openssl req -new -out server.csr -key server.key -config ./openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:pingpu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA1
Organizational Unit Name (eg, section) []:CA10
Common Name (e.g. server FQDN or YOUR name) []:server
Email Address []:222@222.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123123
An optional company name []:hh
8.Sign the web server's private key using the CA certificate:openssl ca -in server.csr -out server.crt -cert ./certs/ca.crt -keyfile ./private/ca.key -config ./openssl.cnf
9.Create a PEM file containing the web server's private key and certificate.cat server.key server.crt > server.pem
10.Similarly, I get client private key file client.key.pem and cert client.crt, and Convert the signed client certificate to PKCS#12 format.openssl pkcs12 -export -clcerts -inkey client.key.pem -in client.crt -out client.p12
11. Config lighttpd.conf
## SSL Support
## -------------
##
## To enable SSL for the whole server you have to provide a valid
## certificate and have to enable the SSL engine.::
##
server.port = 443
ssl.engine = "enable"
ssl.pemfile = "/opt/cert/https/lighttpd.pem"
##
ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2, TLSv1.3")
server.name = "ca_server.com"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.ca-file = "/opt/cert/https/ca.crt"
12. Configuring a Web Browser, I use Google Chrome
In the Manage Certificates dialog, open the Trusted Root Certification Authorities tab . Click Import and select your CA certificate ca.crt, Open the Personal tab. Click Import and select the client certificate client.p12.
13. Test
Input https://***. A User Identification Request window will appear, choose the client certificate you imported and click OK.
It's Successful !!.
BUT ...
If I generate two CA certs, CA_server.crt and CA_client.crt
use CA_server.crt to sign the web server's private key and get server.crt,
use CA_client.crt to sign the web server's private key and get client.crt,
then I put CA_client.crt and server.crt in web server,
###
##
server.port = 443
ssl.engine = "enable"
ssl.pemfile = "/opt/cert/https/lighttpd.pem"
##
ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2, TLSv1.3")
server.name = "ca_server.com"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.ca-file = "/opt/cert/https/CA_client.crt"
When I input "https://***". There is an error:
2019-07-25 03:54:49: (mod_openssl.c.3818) SSL: 1 error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error
Does lighttpd support the second way of generating certs ?
| openssl.cnf (10.6 KB) openssl.cnf | openssl.cnf | ||
| ca.crt (1.33 KB) ca.crt | |||
| server.crt (4.42 KB) server.crt | |||
| client.crt (4.42 KB) client.crt |
Replies (4)
RE: Lighttpd SSL Secure Two-Way Authentication Error - Added by gstrauss over 3 years ago
ssl.ca-file = "/opt/cert/https/CA_client.crt"
ssl.ca-file if for trusted certificate authorities (CA). Why are you listing the client certificate? The client certificate is not a certificate authority.ssl.ca-file should contain the public keys for server.crt and ca.crt (if client.crt was signed by server.key, and if server.crt was signed by ca.key) Since you added ca.key to the openssl trust store, you might only need ssl.ca-file to contain server.crt
RE: Lighttpd SSL Secure Two-Way Authentication Error - Added by liumingxia over 3 years ago
Thank you for your reply !
I have to explan, the second method:
use CA_server.crt to sign the web server's private key and get server.crt,
use CA_client.crt to sign the client's private key and get client.crt.
In Two way authentication, I want to use CA_client.crt to verify client.crt, so I put CA_client.crt in server peer, ssl.ca-file = "/opt/cert/https/CA_client.crt".
I don't know if lighttpd support. Would you please tell me some experience?
RE: Lighttpd SSL Secure Two-Way Authentication Error - Added by gstrauss over 3 years ago
Yes, lighttpd supports client certificate authentication (CAs are CAs, whether custom or not, so custom CAs are supported, too, but not any differently than non-custom CAs)
However, I think you should spend a bit more time troubleshooting things yourself.
You have been inconsistent in describing your setup. I see you have mentioned (5) certificates: ca.crt, server.crt, client.crt, CA_server.crt, CA_client.crt
Please re-read my comment above about what should go into ssl.ca-file and carefully read the documentation Docs_SSL
You may need to additionally use ssl.ca-dn-file, and you may need to review what you have saved in your browser certificate store.
Please use your favorite search engine to look up how to do these things and troubleshoot your setup.
RE: Lighttpd SSL Secure Two-Way Authentication Error - Added by liumingxia over 3 years ago
OK,thank you for your help!