Home / server / Questions / 836870
Accepted
LeonanCarvalho
Asked: 2017-03-08 12:57:58 +0800 CST

Error "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate" on lighttpd

  • 772

I'm using a valid certificate but I'm not able to get client certificate. The lighttpd service fails with error:

(connections-glue.c.200) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

My config is like this one: 

$SERVER["socket"] == ":443" {
            protocol     = "https://"
            ssl.engine   = "enable"
            ssl.disable-client-renegotiation = "enable"



            #server.name = "mywebsite.com"
            ssl.pemfile               = "/etc/lighttpd/ssl/mywebsite.com.pem"
            ssl.ca-file               = "/etc/lighttpd/ssl/mywebsite.com.csr"


            ssl.ec-curve              = "secp384r1"
            ssl.use-sslv2 = "disable"
            ssl.use-sslv3 = "disable"
            ssl.honor-cipher-order    = "enable"
            ssl.cipher-list           = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

            # HSTS(15768000 seconds = 6 months)
            #setenv.add-response-header  = (
            #   "Strict-Transport-Security" => "max-age=15768000;"
            #)

            #ask for client cert
            ssl.verifyclient.exportcert = "enable" 
            ssl.verifyclient.activate   = "enable" 
            ssl.verifyclient.username   = "SSL_CLIENT_S_DN_CN" 
            ssl.verifyclient.enforce    = "enable" 
            ssl.verifyclient.depth      = 3
        }
    }
ssl lighttpd ssl-certificate ssl-certificate-errors

1 Answers

  1. Best Answer

    The ssl.ca-file reads the content, you can call any file type here, even a .txt it doesn't matter for lighttpd if the content is a certificate or a certificate chain.

    When you enable ssl.verifyclient.activate, the lighttpd will request certificate that has sing by root CA certificate(s) inside of ca-file.

    If I want to use a 3rd-party certificate, for example, ICP-Brazil, that is the root of all personal certificates. This certificate is signed by this entity and is the proof that you are really you and it has a legal weight in your court. ICP-Brazil has today 5 versions of their root certificate, so if the system should support legacy certificate (that could be until 6 years of validity), It means you need to put more than one certificate at ssl.ca-file. As described here : https://schnouki.net/posts/2014/08/12/lighttpd-and-ssl-client-certificates/

    About the error:

    (connections.c.305) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

    It's happening because some reasons:

    • The client doesn't have any valid certificate (that match with root certificates at ssl. CA-file)
    • The connection as interrupted before the ssl handshake completes. It can be caused by a very long time to choice the certificate or enter the certificate password, or even a network restart.
    • You're using a CDN network (such as cloudflare or ovh cdn), the connection between client and server should be direct to make handshake.

    So I conclude that this is not really a bug to be corrected, but rather limitations of the ssl hand shaking technology.

    • 5