Veuillez remplir les champs ci-dessous pour que nous puissions vous aider. Remarque : vous devez fournir votre nom de domaine pour obtenir de l’aide. Les noms de domaine des certificats émis sont tous rendus publics dans les journaux de Transparence de Certificat (par exemple, crt.sh | example.com). Par conséquent, le fait de ne pas indiquer votre nom de domaine ici n’aide pas à le garder secret, mais rend plus difficile pour nous le fait de vous aider.
Je peux lire des réponses en Anglais :oui
Mon nom de domaine est :chez.jcz.fr
Mon serveur Web est (inclure la version) :WampServer / Apache 2.4.55
Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) :Windows 10 Pro
Mon hébergeur, le cas échéant, est :chez moi sur mon ordinateur.
Bonjour à toute l'équipe de let's encrypt ainsi qu'à la communauté.
Pour mes tests, sur mon site chez.jcz.fr, j'ai besoin d'un certificat Ca.
Mais en plus, j'ai besoin d'avoir un certificat client et un certificat serveur.
Est-ce que Let's Encrypt peut me les fournir ?
Si c'est non, puis-je les créer à partir de OPENSSL ?
The Let's Encrypt domain certificates have the Key Usage set to allow both server authentication and client authentication, so they can be used for both applications. Not all servers will accept the Let's Encrypt certificate for client authentication (that is entirely the decision of the server operator!), but it is technically valid for this purpose.
The let's encrypt certificate extension ends with ".pem".
I would like to have a certificate that ends with the extension ".pfx" or ".p12".
If I click on your certificate, I don't get the "install PFX" option.
I can't install it from stores on Windows.
How do I go about transforming your certificate into ".pfx" or ".p12"?
If you're going to use it on Windows, you might want to use a Windows-oriented client like Certify The Web—I think you may get a PFX file directly out of it.
The file created by Certbot is what other people have traditionally called a ".cer" file. You can convert this by running the openssl pkcs12 command. For example
will turn up some examples of how to do that conversion.
Since the certificate has to be renewed frequently, it's unpleasant to have to do this manually every time! You can script the conversion process using Certbot's --deploy-hook option (which lets you specify a command to run automatically every time a new certificate is obtained), or use a more Windows-oriented Let's Encrypt client and perhaps get a PFX file in the first step.
When I request a certificate from Let's Encrypt, I get:
--> chez.jcz.fr-chain.pem
--> chez.jcz.fr-crt.pem
--> chez.jcz.fr-key.pem
In Apache 2.4.55, the installed certificates are:
--> SSLCertificateFile: chez.jcz.fr-chain.pem"
--> SSLCertificateKeyFile: chez.jcz.fr-key.pem"
In apache 2.4.55, I put: "SSLVerifyClient none".
I do the test: it works!
I create the PFX certificate:
openssl pkcs12 -export -out %TRAVAIL%\chez.jcz.fr.pfx ^
-in %LIEN%\chez.jcz.fr-chain.pem ^
-inkey %LINK%\chez.jcz.fr-key.pem ^
-passin pass:root -passout pass:root
I install it in the "personal" store.
In apache, I put: "SSLVerifyClient require".
I restart WampServer and I do the test: it does not work.
I have the error "ERR_BAD_SSL_CLIENT_AUTH_CERT".
I did the same with OPENSSL by creating my self-signed certificates.
Unlike this test, I had a ca.crt certificate that I put in the "trusted root certification authorities" store.
And a client.pfx certificate that I put in the "personal" store. And the test worked.
I took the certificate "chez.jcz.fr-crt.pem" whose name I changed to "chez.jcz.fr.crt".
I installed it in the "trusted root certification authorities" store.
The test did not work.
Let's Encrypt gives me the following certificates:
--> chez.jcz.fr-crt.pem
--> chez.jcz.fr-key.pem
--> chez.jcz.fr-chain.pem
This is what I get by "wacs.exe".
I configure apache:
--> SSLCertificateFile: chez.jcz.fr-crt.pem
--> SSLCertificateKeyFile: chez.jcz.fr-key.pem
--> SSLCACertificateFile: chez.jcz.fr-chain.pem
and I do :
--> SSLVerifyClient none
my site is valid!
From these three ".pem", I was able to create with OPENSSL:
--> PFX that I put in the "my" store.
--> CRT that I put in the "root" store.
I checked, they are both valid.
I go to my site. It offers me the client certificate.
I select it and I have the error "ERR_BAD_SSL_CLIENT_AUTH_CERT".
To get my site working properly, I need to create the right certificates:
--> chez.jcz.fr-server-key.pem
--> chez.jcz.fr-server-crt.pem
--> chez.jcz.fr.pfx
from Let's Encrypt certificates.
Can you give me a link explaining how to create these certificates?
I spent the whole weekend looking on the net, doing tests, but I can't find it.
Can you help me find the solution?
[quote="MikeMcQ"]Can you show the exact URL that is failing?
I don't have a problem accessing https://chez.jcz.fr[/quote]
This is the correct url.
I access from my computer, where my WampServer is.
I explained everything a little above.
I did exactly the same manipulations with self-signed OPENSSL certificates, and I managed to correctly configure my Apache 2.4.55.
With Let's Encrypt certificates, I can't create the PFX and CRT certificates I need.
I gave you the two "openssl" commands that I use to create these two PFX and CRT certificates.
If they are not correct, can you tell me how to get a working client certificate please?
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
We have been discussing this offline and the short answer is that it is not a good idea to use Let's Encrypt certs for Apache client authentication (SSLVerifyClient)
Why? That Apache feature checks that the client sent a cert that it can successfully chain to the root you configured. Everyone with an LE cert will chain to the same root so anyone would be authenticated. This provides too little security to be useful.
Normally this Apache verify client is used with your own "root" certs. You could, for example, create self-signed certs for this purpose. You configure the client and Apache accordingly (like using the SSLCACertificateFile). There are many guides on the internet for setting up such a configuration.
Apache also has a "require" option to restrict client certs even further. But, this is advanced Apache config well beyond the scope of this forum.