Thank you, that did the trick! Such a beginners mistake on my part :) cheers, Tom
On Saturday, April 13, 2013 at 7:25 AM, Baptiste wrote: > ---------- Forwarded message ---------- > From: Baptiste <[email protected] (mailto:[email protected])> > Date: Sat, Apr 13, 2013 at 4:23 PM > Subject: Re: Can't get client side certificate to work (repost) > To: Lukas Tribus <[email protected] (mailto:[email protected])> > Cc: Thomas Dudziak <[email protected] (mailto:[email protected])>, > "[email protected] (mailto:[email protected])" > <[email protected] (mailto:[email protected])> > > > Hi Thomas, > > I could reproduce the issue and I could also find the fix. > Your CA, server and client certificate can't have the same CN! > > Please update your certificate generation script like below: > =========== > > export SUBJECT_CA='/C=US/ST=California/L=San Francisco/CN=CA' > export SUBJECT_SERVER='/C=US/ST=California/L=San Francisco/CN=www.example.com > (http://www.example.com)' > export SUBJECT_CLIENT1='/C=US/ST=California/L=San Francisco/CN=client1' > > # certificate authority creation > openssl genrsa -out ca.key 4096 > openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "$SUBJECT_CA" > > # server certificate creation > openssl genrsa -out server.key 1024 > openssl req -new -key server.key -out server.csr -subj "$SUBJECT_SERVER" > openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key > -set_serial 01 -out server.crt > > # client certificate creation > openssl genrsa -out client.key 1024 > openssl req -new -key client.key -out client.csr -subj "$SUBJECT_CLIENT1" > openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key > -set_serial 02 -out client.crt > > cat server.crt server.key > server.pem > sudo cp server.pem /etc/haproxy/server.pem > sudo cp ca.crt /etc/haproxy/ca.crt > ================ > > And it will work as expected: > ================ > curl -vk --key client.key --cert client.crt https://localhost:4443 > * About to connect() to localhost port 4443 (#0) > * Trying ::1... Connexion refusée > * Trying 127.0.0.1... connected > * Connected to localhost (127.0.0.1) port 4443 (#0) > * successfully set certificate verify locations: > * CAfile: none > CApath: /etc/ssl/certs > * SSLv3, TLS handshake, Client hello (1): > * SSLv3, TLS handshake, Server hello (2): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS handshake, Request CERT (13): > * SSLv3, TLS handshake, Server finished (14): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS handshake, Client key exchange (16): > * SSLv3, TLS handshake, CERT verify (15): > * SSLv3, TLS change cipher, Client hello (1): > * SSLv3, TLS handshake, Finished (20): > * SSLv3, TLS change cipher, Client hello (1): > * SSLv3, TLS handshake, Finished (20): > * SSL connection using AES256-SHA > * Server certificate: > * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; > CN=www.server.com (http://www.server.com) > * start date: 2013-04-13 14:16:56 GMT > * expire date: 2014-04-13 14:16:56 GMT > * common name: www.server.com (http://www.server.com) (does not match > 'localhost') > * issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=CA > * SSL certificate verify result: self signed certificate in > certificate chain (19), continuing anyway. > > GET / HTTP/1.1 > > User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o > > zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 > > Host: localhost:4443 > > Accept: */* > > > * HTTP 1.0, assume close after body > < HTTP/1.0 503 Service Unavailable > < Cache-Control: no-cache > < Connection: close > < Content-Type: text/html > < > <html><body><h1>503 Service Unavailable</h1> > No server is available to handle this request. > </body></html> > * SSLv3, TLS alert, Client hello (1): > * Closing connection #0 > * SSLv3, TLS alert, Client hello (1): > ================== > > > > Baptiste > > > > > On Sat, Apr 13, 2013 at 9:20 AM, Baptiste <[email protected] > (mailto:[email protected])> wrote: > > Hi Tom, > > > > Sorry I did not have any time to answer you either on the blog or on > > the ML. I'm very busy at works currently. > > I'll have a look at your issue on Sunday and hopefully I'll find out the > > issue. > > That said, please give a try to Lukas advice :) > > > > Baptiste > > > > On Fri, Apr 12, 2013 at 8:15 PM, Lukas Tribus <[email protected] > > (mailto:[email protected])> wrote: > > > Hi Thomas, > > > > > > > > > > > > > I'm trying to follow this blog post: > > > > http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/, > > > > but I can't get the client certificate to work with 1.5dev18. > > > > > > > > > Could you try a few older releases, specifically dev12, 13 and 14 (which > > > is around the time that blog post was written). > > > > > > I did not play with client side certificates yet, so I'm not sure how it > > > works exactly, but testing older releases will help to understand whether > > > this is a regression in haproxy or if we need to focus on things like > > > certificate issues, etc. > > > > > > > > > Cheers, > > > Lukas > > >
