Re: [OpenXPKI-users] Authentification with certificate

Oliver Welter Fri, 17 May 2019 02:51:07 -0700

Hi Daniel,

you need to set SSLVerify Options AND set the "ExportCertData" option:


SSLVerifyClient optional
SSLVerifyDepth  3
SSLCACertificateFile /etc/apache2/ssl/root.pem

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
</Directory>

Oliver


Am 17.05.19 um 09:24 schrieb daniel.Jackson.fr via OpenXPKI-users:
> Hi everyone,
> 
> I have configured the apache server to force the user to use HTTPS
> instead of HTTP. I am working on my own PC (localhost) so i add in
> /etc/hosts:
> 
> *127.0.0.1*    *openxpki.com*
> 
> So with my apache configuration, when I type openxpki.com (I am
> redirected to localhost/openpki).
> The user also need to have a certificate delivered by the right CA to
> access to the OpenXPKI webui. (Apache2 conf).
> 
> However, I also wanted to use the authentification by certificate
> present in the default settings, but everytime I try to use it, the
> webui says:
> 
> """
> *Required information is missing!*
> Your web browser failed to present the required information to log in
> using the chosen login method.
> Please select a different type of authentication. Go back to login page.
> """
> 
> I got this on the webui log file :
> 
> 2019/05/17 09:32:09 check for cgi session, fcgi pid 22209
> [pid=22209|sid=53d6]
> 2019/05/17 09:32:09 session id (front) is
> 5774934edc498239ef973eef5a79ad97 [pid=22209|sid=5774]
> 2019/05/17 09:32:09 Use provided client instance [pid=22209|sid=5774]
> 2019/05/17 09:32:09 First session reinit with id init [pid=22209|sid=5774]
> 2019/05/17 09:32:09 New backend session with id cZjG5Wm+Qy+wAMoQ5qiBUw==
> [pid=22209|sid=5774]
> 2019/05/17 09:32:09 current session status GET_PKI_REALM
> [pid=22209|sid=5774]
> 2019/05/17 09:32:09 Generate rtoken [pid=22209|sid=5774]
> 2019/05/17 09:32:09 Baseurl from referrer:  [pid=22209|sid=5774]
> 2019/05/17 09:32:09 request handled [pid=22209|sid=5774]
> 2019/05/17 09:32:09 check for cgi session, fcgi pid 22209
> [pid=22209|sid=5774]
> 2019/05/17 09:32:09 session id (front) is
> 5774934edc498239ef973eef5a79ad97 [pid=22209|sid=5774]
> 2019/05/17 09:32:09 Use provided client instance [pid=22209|sid=5774]
> 2019/05/17 09:32:09 First session reinit with id
> cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774]
> 2019/05/17 09:32:09 Resume backend session with id
> cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774]
> 2019/05/17 09:32:09 current session status GET_PKI_REALM
> [pid=22209|sid=5774]
> 2019/05/17 09:32:09 not logged in - doing auth - page is login - action
> is  [pid=22209|sid=5774]
> 2019/05/17 09:32:09 request handled [pid=22209|sid=5774]
> 2019/05/17 09:32:10 check for cgi session, fcgi pid 22209
> [pid=22209|sid=5774]
> 2019/05/17 09:32:10 session id (front) is
> 5774934edc498239ef973eef5a79ad97 [pid=22209|sid=5774]
> 2019/05/17 09:32:10 Use provided client instance [pid=22209|sid=5774]
> 2019/05/17 09:32:10 First session reinit with id
> cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774]
> 2019/05/17 09:32:10 Resume backend session with id
> cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774]
> 2019/05/17 09:32:10 current session status GET_PKI_REALM
> [pid=22209|sid=5774]
> 2019/05/17 09:32:10 not logged in - doing auth - page is  - action is
> login!realm [pid=22209|sid=5774]
> 2019/05/17 09:32:10 set realm in session: ca-one [pid=22209|sid=5774]
> 2019/05/17 09:32:10 Selected realm ca-one, new status
> GET_AUTHENTICATION_STACK [pid=22209|sid=5774]
> 2019/05/17 09:32:10 request handled [pid=22209|sid=5774]
> 2019/05/17 09:32:13 check for cgi session, fcgi pid 22209
> [pid=22209|sid=5774]
> 2019/05/17 09:32:13 session id (front) is
> 5774934edc498239ef973eef5a79ad97 [pid=22209|sid=5774]
> 2019/05/17 09:32:13 Use provided client instance [pid=22209|sid=5774]
> 2019/05/17 09:32:13 First session reinit with id
> cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774]
> 2019/05/17 09:32:13 Resume backend session with id
> cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774]
> 2019/05/17 09:32:13 current session status GET_AUTHENTICATION_STACK
> [pid=22209|sid=5774]
> 2019/05/17 09:32:13 not logged in - doing auth - page is  - action is
> login!stack [pid=22209|sid=5774]
> 2019/05/17 09:32:13 set auth_stack in session: Client Certificate
> [pid=22209|sid=5774]
> 2019/05/17 09:32:13 Authentication stack: Client Certificate
> [pid=22209|sid=5774]
> 2019/05/17 09:32:14 Selected realm ca-one, new status
> GET_CLIENT_X509_LOGIN [pid=22209|sid=5774]
> 2019/05/17 09:32:14 Requested login type CLIENT_X509 [pid=22209|sid=5774]
> 2019/05/17 09:32:14 Certificate missing for X509 Login [pid=22209|sid=5774]
> 2019/05/17 09:32:14 session logout [pid=22209|sid=5774]
> 2019/05/17 09:32:14 request handled [pid=22209|sid=5774]
> 
> The final idea would be to create a double authentification system:
> - The certificate to identify the user (possess a proof)
> - The password to authentificate the user (knows a secret)
> 
> *Did i miss something ?* The user certificate had been imported in the
> browser (Mozilla firefox), and used to access to the webui. I don't
> understand why it does not work.
> 
> 
> Daniel
> 
> 
> 
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
> 


-- 
Protect your environment -  close windows and adopt a penguin!

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Authentification with certificate

Reply via email to