curl – SSL peer does not support certificates of the type it received

Worp asked:

Trying to send a request with a client certificate to an Apache server, I have the following request and error:

$ curl -X POST   https://my-server.com/dummy/user   -H 'Cache-Control: no-cache'   -H 'Content-Type: application/json'   -d '{"name_first":"Some", "name_last":"Name"}'   --insecure   -v   -i   --key-type PEM   --cert-type PEM   --cert ./my.cert.pem   --key ./my.key.pem
* About to connect() to my-server.com port 443 (#0)
*   Trying 2xx.xx.xx.xxx...
* Connected to my-server.com (2xx.xx.xx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
*       subject: CN=my-common-name,OU=IT,O=My Company,L=City,C=Country
*       start date: Jul 10 07:07:55 2018 GMT
*       expire date: Jul 10 07:17:55 2020 GMT
*       common name: my-common-name
*       issuer: CN=My-CA,DC=company,DC=local
* NSS error -12225 (SSL_ERROR_UNSUPPORTED_CERT_ALERT)
* SSL peer does not support certificates of the type it received.
* Closing connection 0
curl: (35) SSL peer does not support certificates of the type it received.

The Apache configuration is:

<VirtualHost *:80>
    ServerName my-server.com
    RewriteEngine on
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,QSA,L]
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</VirtualHost>
<VirtualHost *:443>
    ServerName my-server.com
    ServerAdmin [email protected]
    DocumentRoot "/path/to/document-root"
    ErrorLog "/path/to/logs/my-server.com.error.log"
    TransferLog "/path/to/logs/my-server.com.access.log"
    LogLevel debug

    <FilesMatch \.php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000"
    </FilesMatch>

    SSLEngine on
    SSLCertificateFile "ssl-certs/my-server.com.crt"
    SSLCertificateKeyFile "ssl-certs/my-server.com.key"
    SSLCertificateChainFile "ssl-certs/my-server.com.chain.crt"
    SSLCACertificateFile "ssl-certs/my-company.ca.cert"
    SSLVerifyClient optional_no_ca
    # Not yet put in, seems like setting this to anything does not change the behaviour
    #SSLVerifyClient require
    SSLOptions +StdEnvVars
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES12
8-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE
-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SH
A256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-S
HA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
    <Directory /path/to/document-root>
        <RequireAny>
            # Allow from local networks only to prevent HELIX config mistakes
            Require ip xxx.xx.x.x/16
        </RequireAny>
        AllowOverride All
    </Directory>
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    AddOutputFilterByType DEFLATE text/plain text/html text/xml
    AddOutputFilterByType DEFLATE text/css text/javascript
    AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript application/x-javascript
</VirtualHost>

edit1
As requested in the comments, here is the output of

$ openssl x509 -in ./my.cert.pem -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:00:00:00:1b:84:b3:3e:00:eb:cf:61:0e:00:00:00:00:00:1b
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: DC=local, DC=my-company, CN=my-company-CA
        Validity
            Not Before: Jul 10 07:07:55 2018 GMT
            Not After : Jul 10 07:17:55 2020 GMT
        Subject: C=Country, L=City, O=my-company, OU=IT, CN=my-common-name
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b4:e1:f3:e7:05:3e:44:fa:33:10:48:cb:7f:97:
                    89:66:da:48:8b:9e:5a:91:63:01:88:1b:99:66:d1:
                    9d:ed:73:72:ef:02:78:08:80:01:ce:ca:f8:ee:f2:
                    93:eb:77:e8:54:93:c3:f3:59:31:de:51:3d:7f:f7:
                    a5:ac:32:22:48:da:d5:91:a7:9c:b5:26:ab:2f:b1:
                    dd:6c:89:79:01:40:d6:d9:70:4d:04:d3:ef:bb:27:
                    28:cf:36:ca:d1:56:11:dd:21:53:0a:64:58:44:e4:
                    36:9e:f8:4a:65:38:10:1b:56:a5:94:fb:24:98:e0:
                    09:2c:8b:a7:9d:4e:81:e0:5e:68:35:c2:dc:90:f8:
                    7f:f1:0d:cc:56:1f:b6:73:d2:5f:c0:61:e4:85:5a:
                    e2:19:38:c9:b0:18:76:6c:86:87:c1:19:a9:f3:c9:
                    4e:2c:b9:c6:bd:05:ca:fc:ed:fc:b2:8d:ed:14:0f:
                    d4:b6:c1:1c:a3:44:44:b1:22:2d:75:4d:4c:30:33:
                    55:b7:47:3c:83:43:a4:7c:d9:c4:0f:3b:e5:2d:13:
                    64:5c:c9:de:8e:60:50:6b:26:d3:03:26:87:21:6c:
                    c9:98:0c:33:c3:22:b6:1b:ef:64:2b:14:aa:01:28:
                    9d:dc:c6:bb:33:b6:08:be:21:f9:0a:7b:20:81:33:
                    96:27:90:33:e9:eb:38:cc:39:73:81:0a:f2:81:31:
                    69:59:c9:74:b9:fb:fb:50:d5:7b:72:01:c9:ad:5b:
                    6a:7a:0d:ff:f5:b0:5b:d3:7e:f3:2b:6b:30:fc:69:
                    ee:4f:4a:2c:24:f5:41:31:ad:4b:87:90:69:15:a9:
                    97:6e:2d:e4:e7:0f:01:a7:06:7a:2e:24:e1:36:90:
                    ab:88:ff:54:5e:b5:58:71:9a:f1:28:48:a5:c0:ae:
                    84:fd:4d:ab:17:70:8f:e9:4b:fc:74:af:60:6f:b9:
                    e7:32:4a:38:01:95:d0:ee:c7:10:52:22:94:92:85:
                    1b:4a:30:f1:b2:e6:14:f9:74:0b:4a:d5:72:9d:94:
                    01:41:03:b3:77:fc:01:e5:65:18:ed:85:a3:a6:a4:
                    bf:55:42:7e:04:eb:cb:e8:c8:89:77:92:fc:b4:38:
                    5e:8c:f9:f6:c3:b6:f6:17:ce:25:34:d3:bc:72:fa:
                    c1:04:fe:12:34:8f:7e:d1:ee:48:93:71:bc:74:68:
                    92:f1:39:7a:4d:17:b0:5e:5d:37:ed:96:f5:07:0e:
                    97:e2:e5:09:96:21:49:89:2a:ec:fb:1b:e4:b9:95:
                    8d:a0:32:23:ef:bb:7d:15:cb:18:54:01:9e:67:b9:
                    e7:37:fd:87:77:28:24:8e:72:60:c0:48:7d:44:a1:
                    d9:f8:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.7: 
                0/.'+.....7.....(...d.......Z...?.4...G...D..d...
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            1.3.6.1.4.1.311.21.10: 
                0.0
..+.......
            X509v3 Subject Key Identifier: 
                EF:2C:E2:02:6C:F5:45:82:27:CB:05:77:6B:F8:B1:22:1F:E7:29:20
            X509v3 Authority Key Identifier: 
                keyid:9C:FB:DD:C0:DD:16:D6:FF:98:31:22:0E:30:4A:B6:98:93:6A:21:6F

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:ldap:///CN=my-company-CA,CN=MY-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=my-company-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=my-company,DC=local?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: sha512WithRSAEncryption
         46:16:3f:33:93:31:87:6b:31:02:f6:a6:b1:d0:90:94:d9:3d:
         b5:a8:aa:ff:15:32:c1:2e:50:1b:41:cc:75:5c:93:76:01:87:
         a2:ce:46:18:01:4b:98:cd:36:ea:1a:6c:28:9a:40:a4:67:83:
         7f:28:c7:78:98:d1:07:be:59:06:dc:f6:b0:e5:6a:d8:6d:e0:
         a9:43:5d:5b:7b:61:1e:0d:38:af:a4:55:e0:af:db:26:16:a2:
         42:fe:27:36:07:b5:c5:e8:93:bd:e3:df:17:66:c4:b8:12:5e:
         d0:46:48:68:ac:28:2c:08:5e:52:47:ad:c0:b3:6e:69:20:e2:
         00:3b:12:5e:fa:eb:32:be:4c:f4:9e:cb:a7:a0:c6:cf:e5:bc:
         d9:de:1e:6a:c0:17:22:43:23:a9:6c:3f:48:dd:26:44:22:58:
         fa:3d:d9:61:a0:76:2b:f8:d5:ae:c1:97:4d:ba:81:25:a4:44:
         2c:8d:5d:4c:d3:05:a7:eb:b7:9b:08:3c:4c:2c:c0:9d:2a:d6:
         47:7e:96:87:60:e8:b4:9d:73:25:9b:2e:0b:23:d0:14:7c:82:
         9d:ec:07:a8:26:9a:28:e7:c1:a4:fa:e8:28:b6:44:54:81:c6:
         92:05:1b:7f:4e:a6:b9:81:ca:c6:c6:65:ab:b8:7d:32:2d:fa:
         dd:72:f0:ad:3f:c0:e5:f9:b2:dc:67:f6:9f:7e:b5:16:24:b0:
         f8:39:35:4a:49:a5:c4:44:bc:6b:f2:2e:9c:f0:29:32:bd:d3:
         70:6b:f3:a4:a6:8b:12:a2:c3:c8:0a:66:cb:50:98:91:a7:1a:
         b4:7a:52:58:fe:e5:f5:db:dd:52:c9:38:36:00:6a:4f:23:48:
         78:10:68:c8:58:7f:78:69:95:6a:3b:0e:e9:53:b7:cc:17:9e:
         57:a4:5f:6d:b5:3f:f7:10:37:b2:70:20:b4:b0:65:2b:52:f8:
         67:b2:de:57:1e:b7:5d:23:09:f4:39:66:a8:09:28:1f:58:d8:
         c2:e7:73:46:a6:5b:d1:3c:53:90:da:29:99:b9:2f:b7:82:20:
         ae:9e:41:37:ab:3c:a8:aa:a1:e4:be:0b:1a:5f:45:a5:8e:01:
         a6:cd:92:b5:7c:b1:7b:ca:80:d7:47:d5:c2:aa:b3:cd:61:f2:
         fa:91:4f:59:bf:df:06:40:c5:2b:32:d6:d4:8c:3a:a0:32:e2:
         75:6f:e8:21:13:99:9f:5e:f3:9f:33:51:0a:41:3a:af:eb:c1:
         5c:b9:22:a9:e4:80:7c:11:d0:da:59:17:e2:74:e5:6f:0a:8d:
         6a:95:c1:cb:1c:e1:8c:1c:2e:08:8c:db:7f:db:69:96:73:fe:
         5a:08:85:26:fd:5d:0d:cd

My answer:


That cert is not a client certificate. It is only a server certificate.

You can see that in the output:

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication

A client certificate will instead say:

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication

or:

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication

(such a certificate can be either a server cert or a client cert)

Go back to your CA and request a proper client certificate.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.