# apache2 client certificate authentication; error code -12227

## BoBoeBoe

I want to use client authentication in combination with several vhosts on my apache server.

I created the keys as described by  Jurgen Wahlsten. 

These certificates work fine using 

```
SSLCertificateChainFile
```

If the CA.crt file installed on the client the client/server is trused automatically

However when I switch to

```
 

SSLVerifyClient require

SSLVerifyDepth  10

```

I do get the following error message  *Quote:*   

> www.mydomain.com has received an icorrect and unexpexted message. Error code -12227

 

Could anyone help out what goes wrong here?

By the way this is my 41_mod_ssl_default-vhost.conf that works fine (SSLCertificateChainFile).

```

<IfDefine SSL>

  <IfModule !mod_ssl.c>

    LoadModule ssl_module    extramodules/mod_ssl.so

  </IfModule>

</IfDefine>

<IfModule mod_ssl.c>

##

## SSL Virtual Host Context

##

<VirtualHost _default_:443>

#  General setup for the virtual host

DocumentRoot "/var/www/localhost/htdocs"

#ServerName localhost:443

#ServerAdmin root@localhost

ErrorLog logs/ssl_error_log

<IfModule mod_log_config.c>

TransferLog logs/ssl_access_log

</IfModule>

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again. A test

#   certificate can be generated with `make certificate' under

#   built time. Keep in mind that if you've both a RSA and a DSA

#   certificate you can configure both in parallel (to also allow

#   the use of DSA ciphers, etc.)

SSLCertificateFile conf/ssl/www.bliek.conf.crt

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile conf/ssl/www.bliek.conf.key

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

SSLCertificateChainFile conf/ssl/bliek.conf-ca.crt

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCACertificatePath conf/ssl

#SSLCACertificateFile conf/ssl/bliek.conf-ca.crt

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationPath conf/ssl/ssl.crl

#SSLCARevocationFile conf/ssl/ca-bundle.crl

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth  10

```

The  41_mod_ssl_default-vhost.conf that gives the trouble looks like:

```

<IfDefine SSL>

  <IfModule !mod_ssl.c>

    LoadModule ssl_module    extramodules/mod_ssl.so

  </IfModule>

</IfDefine>

<IfModule mod_ssl.c>

##

## SSL Virtual Host Context

##

<VirtualHost _default_:443>

#  General setup for the virtual host

DocumentRoot "/var/www/localhost/htdocs"

#ServerName localhost:443

#ServerAdmin root@localhost

ErrorLog logs/ssl_error_log

<IfModule mod_log_config.c>

TransferLog logs/ssl_access_log

</IfModule>

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again. A test

#   certificate can be generated with `make certificate' under

#   built time. Keep in mind that if you've both a RSA and a DSA

#   certificate you can configure both in parallel (to also allow

#   the use of DSA ciphers, etc.)

SSLCertificateFile conf/ssl/www.mydomain.com.crt

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile conf/ssl/www.mydomain.com.key

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

#SSLCertificateChainFile conf/ssl/mydomain.com-ca.crt

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

SSLCACertificatePath conf/ssl

SSLCACertificateFile conf/ssl/mydomain.com-ca.crt

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationPath conf/ssl/ssl.crl

#SSLCARevocationFile conf/ssl/ca-bundle.crl

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth  10

```

[/code]

----------

## BoBoeBoe

The problem lies within the ceritficates, how to test this is explained on:

http://www.openssl.org/support/faq.html#USER10

The solution is really easy one you are aware of the excistence of CA.pl. A user friendly interface for openssl programs, which is distributed along with openssl, it is described at: 

http://www.openssl.org/docs/apps/CA.pl.html

For a practical example how to secure your apache webserver, have a look http://www.freebsddiary.org/openssl-client-authentication.php

----------

