openssl client authentication error: tlsv1 alert unknown ca: ... SSL alert number 48

Posted by JoJoeDad on Server Fault See other posts from Server Fault or by JoJoeDad
Published on 2012-11-29T05:27:36Z Indexed on 2012/11/30 5:08 UTC
Read the original article Hit count: 514

Filed under:

I've generated a certificate using openssl and place it on the client's machine, but when I try to connect to my server using that certificate, I error mentioned in the subject line back from my server.

Here's what I've done.

1) I do a test connect using openssl to see what the acceptable client certificate CA names are for my server, I issue this command from my client machine to my server:

openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -prexit

and part of what I get back is as follow:

Acceptable client certificate CA names
/C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/[email protected]
/C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/[email protected]

2) Here is what is in the apache configuration file on the server regarding SSL client authentication:

SSLCACertificatePath /etc/apache2/certs

SSLVerifyClient require 
SSLVerifyDepth  10

3) I generated a self-signed client certificate called "client.pem" using mypos.pem and mypos.key, so when I run this command:

openssl x509 -in client.pem -noout -issuer -subject -serial

here is what is returned:

issuer= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=myupload.mysite.net/[email protected]
subject= /C=US/ST=Colorado/O=Inteliware/OU=Denver Office/CN=mlR::mlR/[email protected]
serial=0E

(please note that mypos.pem is in /etc/apache2/certs/ and mypos.key is saved in /etc/apache2/certs/private/)

4) I put client.pem on the client machine, and on the client machine, I run the following command:

openssl s_client -connect myupload.mysite.net:443/cgi-bin/posupload.cgi -status -cert client.pem

and I get this error:

CONNECTED(00000003)
OCSP response: no response sent
depth=1 /C=US/ST=Colorado/L=England/O=Inteliware/OU=Denver Office/CN=Tim Drake/[email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
574:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102:SSL alert number 48
574:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_lib.c:182:

I'm really stumped as to what I've done wrong. I've searched quite a bit on this error and what I found is that people are saying the issuing CA of the client's certificate is not trusted by the server, yet when I look at the issuer of my client certificate, it matches to one of the accepted CA returned by my server.

Can anyone help, please?

Thank you in advance.

Developer IT

openssl client authentication error: tlsv1 alert unknown ca: ... SSL alert number 48 - Developer IT

openssl client authentication error: tlsv1 alert unknown ca: ... SSL alert number 48

authentication

certificate

openssl

Related posts about authentication

Configuring Fed Authentication Methods in OIF / IdP

windows authentication vs sql server authentication for asp.net forms authentication site

Disable authentication on subfolder(s) of an ASP.NET app using windows authentication

AutoCompleteExtender - authentication failure (forms authentication)

Ruby on Rails , functionalities having twitter authentication and email authentication (autlogic and

Related posts about certificate

IIS SSL Certificate Renewal Pain

apache Client Certificate Authentication errors: Certificate Verification: Error (18): self signed certificate

Nginx and client certificates from hierarchical OpenSSL-based certification authorities

How to find, whether the certificate is a private certificate or a public certificate

Developer certificate vs purchased certificate for WCF

Categories cloud