When you say "This is curious, as I don't have client auth configured yet from
the script" wouldn't getting an error be what is expected given that you set up
mod_wsgi to expect a client certificate by passing the
--ssl-ca-certificate-file option but then didn't supply one from the client.
In other words, it is the presence of --ssl-ca-certificate-file which enables
verification of the client. The --ssl-verify-client option only overrides what
sub URL paths of the site verification is enabled for. By default the whole
site is set to require client verification as soon as you provide
--ssl-ca-certificate-file.
So if using the original generated configuration you had:
--ssl-ca-certificate-file=/etc/pki/tls/certs/ca-bundle.crt
--ssl-verify-client=/suburl
accessing the root of the site wouldn't required client verification, but
access /suburl would.
Use just:
--ssl-ca-certificate-file=/etc/pki/tls/certs/ca-bundle.crt
and accessing any part of the site requires client verification.
Graham
> On 14 May 2021, at 7:28 am, Matt Lutz <[email protected]> wrote:
>
> Hello,
>
> I'm using modwsgi in a dockerized Django application. Based on the
> environment I work in, I am requiring a client certificate to authenticate to
> the web server.
>
> I use the 'python manage.py runmodwsgi --setup-only' command with some
> variables. HTTP works just fine, but I have to manually tweak the HTTPS
> directives for the site to work properly. Hopefully someone can point me in
> the right direction.
>
> The script I use to generate the httpd.conf file is as follows:
>
> python3 manage.py runmodwsgi --setup-only \
> --port=8000 \
> --reload-on-changes \
> --user apache \
> --group apache \
> --https-port=8443 \
> --server-name=xxx.lab.net \
> --ssl-certificate-file=/etc/pki/tls/certs/localhost.crt \
> --ssl-certificate-key-file=/etc/pki/tls/private/localhost.key \
> --ssl-ca-certificate-file=/etc/pki/tls/certs/ca-bundle.crt
>
> As mentioned, this works just fine for HTTP. But I get a 'Forbidden' when I
> use SSL, with a post-handshake error:
>
> [Thu May 13 21:17:47.362027 2021] [ssl:error] [pid 42909:tid 139855358154496]
> [client 172.18.0.1:55846] AH10158: cannot perform post-handshake
> authentication
>
> This is curious, as I don't have client auth configured yet from the script.
> However, when I look at the generated httpd.conf file, at the end I see this:
>
> <IfDefine MOD_WSGI_VERIFY_CLIENT>
> <Location '/'>
> SSLVerifyClient require
> SSLVerifyDepth 10
> </Location>
> </IfDefine>
>
> If I comment these lines out, it works without issue to the virtual server on
> port 8443. I don't understand why those lines are at the end of the file.
> However, just removing these will not work, as I *do* need to require client
> cert auth.
>
> Inside the client verify part of the '<VirtualHost *:8443>' configuration is
> this:
>
> <IfDefine MOD_WSGI_VERIFY_CLIENT>
> SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
> SSLVerifyClient none
> </IfDefine>
>
> If I change that to the following:
>
> <IfDefine MOD_WSGI_VERIFY_CLIENT>
> SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
> SSLVerifyClient require
> SSLVerifyDepth 10
> </IfDefine>
>
> Then everything works as I need. Messing around with the --ssl-verify-client
> parameter in the runmodwsgi command did not help, but it's possible I wasn't
> specifying right. I also need that 'SSLVerifyDepth' set properly due to the
> type of client certificates that are being used.
>
>
> Thanks you for any assistance you can provide. Sorry if the answer is in the
> docs... I did not see it.
>
> thanks,
> Matt
>
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/modwsgi/78b77aa0-45c0-4563-8f01-df64602a31d0n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/modwsgi/78b77aa0-45c0-4563-8f01-df64602a31d0n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/modwsgi/16DF0F7C-78F6-4D54-8737-D18538140098%40gmail.com.
