Tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking

h3n · October 5, 2024, 11:41am

Hi all,

i am currently in the process of setting up my box to connect to my teddycloud instance.
flashing etc. works fine and i am now fumbling with the certificates.

After reading feasibility of hosting teddycloud i am motivated to do routing based on the provided client certificate.

Mixing the previous mentioned thread with Use certificates and nginx I did the following steps:

Extract client certificates from teddycloud
migrate them to x509 .pem / rsa .key files
generate sha1sum of ca.pem, client.pem and ca.der (didnt know which one the client exactly sends)
modify my nginx reverse proxy for the 443 port:

server {
      server_name _; # This is just an invalid value which will never trigger on a real hostname.
      listen 443 ssl http2;
      access_log /var/log/nginx/access.log vhost;
#       return 503;
error_log /etc/nginx/vhost.d/log debug;
      ssl_session_cache shared:SSL:50m;
      ssl_session_tickets off;
     ssl_certificate /etc/nginx/certs/default.crt;
      ssl_certificate_key /etc/nginx/certs/default.key;
ssl_client_certificate /etc/nginx/certs/client/ca.pem;
ssl_verify_client optional_no_ca;
location / {
  if ($reject) {
    return 503;
  }
  set $upstream 172.26.0.2:443; #this is teddycloud ip
  proxy_pass https://$upstream$request_uri;
  proxy_ssl_certificate /etc/nginx/certs/client/client.pem;
  proxy_ssl_certificate_key /etc/nginx/certs/client/private.key;
  proxy_ssl_conf_command Options UnsafeLegacyRenegotiation;
}
}

with the map

map $ssl_client_fingerprint $reject {
  default 1;
  "987e7d05001c880cbd0dc0b8bce7a48fe88bf2e0" 0; #ca.der
  "d5d128283032f9c8c1641552349a402da0355387" 0; #ca.pem
  "e187b0c3a49777975dea2feb99f5a8491aa4a609" 0; #client.pem
}

reading the error log file i get the following error message as soon as the box boots / tonie is placed:

*11425 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking

in combination with the error phrase “eule” / “owl”

I also tried bundling the existing “default.crt” with the “ca.pem” from the box, but the error remained same.

Can anyone provide me some information what i am missing?

My end goal is teddycloud hosted on a dedicated server with public IP, basic authentication infront of the web interface and client certificate routing for tls requests without SNI.
Reason: If we move the box to in example grandparents and they gift some new tonies, they should work without moving to my home network

Dualton · October 12, 2024, 6:49pm

did you create a fullchaim.pem?

cat teddy-cert.pem ca-root.pem > fullchain.pem

This did help me but I am not sure if it was the exact same error

h3n · October 13, 2024, 8:41am

Wait, i used the .der certificates (migrated to x509).
Do i need to use the server certificates in all places?

I thought the certificates within /teddybox/certs/client/ are the one from the box.

To be more specfic:
I’ll create a fullchain using my existing default.crt within nginx (used as ssl_certificate within server server_name _;) and the teddy-cert.pem from /teddycloud/certs/server
Also i’ll migrate the client/ca.der to x509 in order to use it as ssl_client_certificate

I’ll then need to proxy pass the client cert and key from /teddycloud/certs/client within the nginx location / {} block

Or am i completly off and somethig missing?

Dualton · October 14, 2024, 6:36am

I used those command to alter the certs and receive fingerprint

openssl x509 -inform der -in ca.der -out ca.pem
openssl x509 -inform der -in client.der -out client.pem
openssl x509 -inform der -in private.der -out private.pem
openssl rsa -in teddy-key.pem -out teddy-key-converted.pem
cat teddy-cert.pem ca-root.pem > fullchain.pem
openssl x509 -noout -fingerprint -sha1 -in client.pem

Then I did

    # Server's certificate and private key
    ssl_certificate /etc/nginx/certs/server/fullchain.pem; #server cert
    ssl_certificate_key /etc/nginx/certs/server/teddy-key-converted.pem; #server cert

    # Require client certificate
    ssl_client_certificate /etc/nginx/certs/client/ca.pem; #boxine CA, client
    ssl_verify_client optional_no_ca;

for authentication and

proxy_ssl_certificate /etc/nginx/certs/client/client.pem; #client cert
proxy_ssl_certificate_key /etc/nginx/certs/client/private.pem; # client cert

to proxy pass on to teddy cloud

note if you have a cc box, you need to enable SHA1:

ssl_protocols TLSv1.2;
ssl_ciphers 'HIGH:!aNULL:!MD5@SECLEVEL=0';
ssl_prefer_server_ciphers off;

I think sec level 1 also works

h3n · October 16, 2024, 7:24pm

Thanks, that helped a lot!
Only difference i needed to do was the way creating the private key:

openssl rsa -inform der -in private.der -out private.pem