Fails to log in to IdM WebUI with certificate/smartcard: cannot perform post-handshake authentication

Solution Verified - Updated -

Issue

Fails to log in to IdM WebUI with certificate/smartcard

  • IdM server has been configured for smart card authentication1
  • Certificate has also been added to an user2
  • Attempting to login to WebUI using smart card3. After clicking Log In Using Certificate, Authentication with personal certificate failed error message is displayed on browser.

  • Corresponding log message for the HTTP request is found in /var/log/httpd/access_log:

    <...> "GET /ipa/session/login_x509 HTTP/1.1" 403 258

  • Error messages with the same timestamp have also been recorded in /var/log/httpd/error_log

    [ssl:error] [pid <...>] [client www.xxx.yyy.zzz:39626] AH: verify client post handshake, referer: https://idm.example.com/ipa/ui/
[ssl:error] [pid <...>] [client www.xxx.yyy.zzz:39626] AH10158: cannot perform post-handshake authentication, referer: https://idm.example.com/ipa/ui/
[ssl:error] [pid <...>] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received

  1. 51.1. Configuring the IdM server for smart card authentication ↩︎

  2. 51.3. Adding a certificate to a user entry in IdM ↩︎

  3. 51.6. Logging in to IdM with smart cards ↩︎

Environment

  • Red Hat Enterprise Linux 8.2 or newer
  • Red Hat Identity Management (IdM) / FreeIPA
    • ipa-server
    • httpd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content