openssl client authentication error: tlsv1 alert unknown ca: ... SSL alert number 48

Solution 1:

ok, I finally found out what the issue was and would like to share it just in case anyone gets stuck with that error message too.

Apache's config file has the following lines when it talks about the CA:

    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)
    #   Note: Inside SSLCACertificatePath you need hash symlinks
    #         to point to the certificate files. Use the provided
    #         Makefile to update the hash symlinks after changes.

This means that every certificate file in this directory pointed to by SSLCACertificatePath must use a symbolic link. AND, most importantly, the name of each symbolic link must be the subject hash value of each certificate. You can find the hash value of the CA certificate by running this command:

    openssl x509 -subject_hash -in *cacert.pem*

So, if the hash value was 0434423b, in the directory pointed to by SSLCACertificatePath, you should create two symbolic links to point to the certificate in the directory:

0434423b -> /etc/apache2/certs/mypos.pem
0434423b.0 -> /etc/apache2/certs/mypos.pem

This should solve the issue. Of course, if I had used the SSLCACertificateFile, I don't think I'd experienced so much problems.

I found the explanation of SSLCACertificatePath here:

openssl's verify command page

look under -CApath directory

Solution 2:

I found that the "sudo update-ca-certificates --fresh" command automatically generates symbolic links from the subject hash value of each certificate to the certificate.