Graham, Thanks for the reply, and clearing up the ssl-ca-certificate-file piece. I didn't realize that it's presence would require a client cert, but that makes more sense, especially why the --ssl-verify-client parameters would be needed on sites that just have portions requiring the cert.
Sorry if I'm being dense on this, but I still don't get why I get the 'post-handshake authentication' error with the generated file, but if I move the client cert directives into the Virtual Host portion of the configuration, it works. It's the same CA file... any ideas? The 'Forbidden' error comes through without even prompting the client for a certificate. I'm sure I'm doing something wrong, and very much appreciate the assistance. thanks again. Matt On Thu, May 13, 2021 at 9:11 PM Graham Dumpleton <[email protected]> wrote: > When you say "This is curious, as I don't have client auth configured yet > from the script" wouldn't getting an error be what is expected given that > you set up mod_wsgi to expect a client certificate by passing > the --ssl-ca-certificate-file option but then didn't supply one from the > client. > > In other words, it is the presence of --ssl-ca-certificate-file which > enables verification of the client. The --ssl-verify-client option only > overrides what sub URL paths of the site verification is enabled for. By > default the whole site is set to require client verification as soon as you > provide --ssl-ca-certificate-file. > > So if using the original generated configuration you had: > > --ssl-ca-certificate-file=/etc/pki/tls/certs/ca-bundle.crt > --ssl-verify-client=/suburl > > accessing the root of the site wouldn't required client verification, but > access /suburl would. > > Use just: > > --ssl-ca-certificate-file=/etc/pki/tls/certs/ca-bundle.crt > > and accessing any part of the site requires client verification. > > Graham > > On 14 May 2021, at 7:28 am, Matt Lutz <[email protected]> wrote: > > Hello, > > I'm using modwsgi in a dockerized Django application. Based on the > environment I work in, I am requiring a client certificate to authenticate > to the web server. > > I use the 'python manage.py runmodwsgi --setup-only' command with some > variables. HTTP works just fine, but I have to manually tweak the HTTPS > directives for the site to work properly. Hopefully someone can point me > in the right direction. > > The script I use to generate the httpd.conf file is as follows: > > python3 manage.py runmodwsgi --setup-only \ > --port=8000 \ > --reload-on-changes \ > --user apache \ > --group apache \ > --https-port=8443 \ > --server-name=xxx.lab.net \ > --ssl-certificate-file=/etc/pki/tls/certs/localhost.crt \ > --ssl-certificate-key-file=/etc/pki/tls/private/localhost.key \ > --ssl-ca-certificate-file=/etc/pki/tls/certs/ca-bundle.crt > > As mentioned, this works just fine for HTTP. But I get a 'Forbidden' when > I use SSL, with a post-handshake error: > > [Thu May 13 21:17:47.362027 2021] [ssl:error] [pid 42909:tid > 139855358154496] [client 172.18.0.1:55846] AH10158: cannot perform > post-handshake authentication > > This is curious, as I don't have client auth configured yet from the > script. However, when I look at the generated httpd.conf file, at the end > I see this: > > <IfDefine MOD_WSGI_VERIFY_CLIENT> > <Location '/'> > SSLVerifyClient require > SSLVerifyDepth 10 > </Location> > </IfDefine> > > If I comment these lines out, it works without issue to the virtual server > on port 8443. I don't understand why those lines are at the end of the > file. However, just removing these will not work, as I *do* need to > require client cert auth. > > Inside the client verify part of the '<VirtualHost *:8443>' configuration > is this: > > <IfDefine MOD_WSGI_VERIFY_CLIENT> > SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt > SSLVerifyClient none > </IfDefine> > > If I change that to the following: > > <IfDefine MOD_WSGI_VERIFY_CLIENT> > SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt > SSLVerifyClient *require* > *SSLVerifyDepth 10* > </IfDefine> > > Then everything works as I need. Messing around with the > --ssl-verify-client parameter in the runmodwsgi command did not help, but > it's possible I wasn't specifying right. I also need that 'SSLVerifyDepth' > set properly due to the type of client certificates that are being used. > > > Thanks you for any assistance you can provide. Sorry if the answer is in > the docs... I did not see it. > > thanks, > Matt > > > > > > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/78b77aa0-45c0-4563-8f01-df64602a31d0n%40googlegroups.com > <https://groups.google.com/d/msgid/modwsgi/78b77aa0-45c0-4563-8f01-df64602a31d0n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to a topic in the > Google Groups "modwsgi" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/modwsgi/dKFTKoXvK04/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/16DF0F7C-78F6-4D54-8737-D18538140098%40gmail.com > <https://groups.google.com/d/msgid/modwsgi/16DF0F7C-78F6-4D54-8737-D18538140098%40gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CAHfH%3Duw2jTDxaV81Wi6UsjnaVjU%3DL62aZPmQhekN46RzP6u74Q%40mail.gmail.com.
