Eu tenho dois sites em diferentes hosts protegidos pelo mesmo certificado SSL, um Apache2, um JBOSS.
Meu processo:
Eu instalei o certificado do cliente e o certificado da CA em todos os navegadores. (Instalar o certificado de CA não é necessário, mas se livrar do ícone Vermelho / Perigo no URL.)
Ubuntu 14.04
ERR_BAD_SSL_CLIENT_AUTH_CERT
Windows 7
Chrome, Firefox e amp; IE todos me deixam acessar o site do Apache2, nenhum deles me deixa acessar o site do JBOSS.
ssl_error_bad_cert_alert
ERR_BAD_SSL_CLIENT_AUTH_CERT
This page can't be displayed
O certificado & certs raiz são ambos atuais, apenas não podem ser verificados.
Alguém tem uma teoria / solução?
Algumas saídas de linha de comando openssl editadas, caso isso ajude:
$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected]
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected]
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
issuer=/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
---
Acceptable client certificate CA names
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected]
---
SSL handshake has read 2028 bytes and written 2356 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
Session-ID-ctx:
Master-Key: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1429133346
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Tags ssl jboss apache-2.4