linux apache ssl ssl-client-authentication

Apache Client Authentication : Certificate Verification: Error (2): unable to get issuer certificate (SOLVE)

I am trying to configure a server with client authentication on a directory and Certificate Revocation List (crl). I succeeded once to make the client client authentication works but is is not anymore and I never succeeded in making the revocation list works.

Here are my configuration files :

default-ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
		DocumentRoot /var/www/html						
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined
								
		SSLEngine on
		SSLCertificateFile	/root/ca/intermediate/certs/www.example.com.cert.pem
		SSLCertificateKeyFile   /root/ca/intermediate/private/www.example.com.key.pem
		SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem
		SSLCACertificateFile    /root/ca/intermediate/certs/intermediate.cert.pem		
								
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
		    SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
			SSLOptions +StdEnvVars
		</Directory>	
	</VirtualHost>
</IfModule>

apache2.conf

Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5


User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

HostnameLookups Off

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Include ports.conf


<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
     Options Indexes FollowSymLinks
     AllowOverride None
     Require all granted
</Directory>

<Directory /var/www/html/testClientCert>
     Options Indexes FollowSymLinks
     AllowOverride None
     SSLVerifyClient require
     SSLVerifyDepth 10
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/default-ssl.conf

I used the following tuto to create root and intermediate AC : https://jamielinux.com/docs/openssl-certificate-authority/ (part 1 and 2)

I used the following command to generate client certificate :

4 - Create client certificate 4.1 Create the client key openssl genrsa -des3 -out client.key 4096

4.2 Create the client csr
    openssl req -new -key client.key -out client.csr

4.3 Create the client certificate
    openssl x509 -req -days 365 -in client.csr -CA /root/ca/intermediate/certs/intermediate.cert.pem -CAkey /root/ca/intermediate/private/intermediate.key.pem -set_serial <mettre une valeur à changer à chaque cert genre à incrémenter (01 pour le premier puis 02...> -out client.crt

4.4 Convert client certificate to PKCS
    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Now here is my question, it seems my intermediate certificate is not trusted, indeed when I try to access the directory /var/www/html/testClientCert with Mozilla (I imported intermediate AC + client cert in Mozilla), I have the following error :

tail -f 20 /var/log/apache2/*

==> /var/log/apache2/access.log <==
127.0.0.1 - - [07/Aug/2017:20:15:48 +0200] "GET /testClientCert/gg.txt HTTP/1.1" 403 9768 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"

==> /var/log/apache2/error.log <==
[Mon Aug 07 20:15:48.741592 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02039: Certificate Verification: Error (2): unable to get issuer certificate
[Mon Aug 07 20:15:48.741670 2017] [ssl:error] [pid 2262:tid 140536910403328] [client 127.0.0.1:55376] AH02261: Re-negotiation handshake failed
[Mon Aug 07 20:15:48.741687 2017] [ssl:error] [pid 2262:tid 140536910403328] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

How comes error occurs whereas I signed the intermediate AC cert with the root AC cert and that my client certificate is signed by intermediate AC ?

Solution

If someone needs the answer, I post it. The comment in default configuration file (default-ssl.conf) lead me in the good track :

    #   Certificate Authority (CA):
    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)

So the file SSLCACertificateFile must contain the root and intermediate certificate. Then the change of this line solves my problem :

SSLCACertificateFile /root/ca/intermediate/certs/ca-chain.cert.pem

I have not find the solution for crl yet, I post it when I find it.