I tried what you said, but I got "Unknown error (service default handle message failed)" in the webUI.
catchall.log : 2019/05/22 16:00:29 openxpki.system.ERROR I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_MESSAGE_FAILED; __MESSAGE_NAME__ => GET_CLIENT_X509_LOGIN; __EVAL_ERROR__ => Can't locate object method "message" via package "requested value is not a hash at /usr/share/perl5/Connector/Proxy/YAML.pm line 142. " (perhaps you forgot to load "requested value is not a hash at /usr/share/perl5/Connector/Proxy/YAML.pm line 142. "?) at /usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Authentication.pm line 241. [pid=15931|sid=cd5E] 2019/05/22 16:00:52 openxpki.application.INFO Purged 1 expired sessions [pid=15923|sid=pvMl] 2019/05/22 16:04:23 openxpki.system.ERROR I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_MESSAGE_FAILED; __MESSAGE_NAME__ => GET_CLIENT_X509_LOGIN; __EVAL_ERROR__ => Can't locate object method "message" via package "requested value is not a hash at /usr/share/perl5/Connector/Proxy/YAML.pm line 142. " (perhaps you forgot to load "requested value is not a hash at /usr/share/perl5/Connector/Proxy/YAML.pm line 142. "?) at /usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Authentication.pm line 241. [pid=15973|sid=cd5E] If you have any clue of what caused this. Daniel, > Thank you very much, I will take a look at it and tell you if I succeed. > > Daniel, > > > Hi, > > you need a lookup table to map the certificates to roles, usually you > > use a connector for this. Have a look at the documentation of the > > Handler module (OpenXPKI;:Server::Authentication::X509) - there are some > > config snippets and hints. > > Oliver > > Am 20.05.19 um 17:03 schrieb daniel.Jackson.fr via OpenXPKI-users: > > > > > Thank you, some of these parameters were missing in my Apache > > > configuration. > > > I have an other question related to this: is there a way to distinguish > > > the users using the certificate he uses ? > > > For the moment all certificate users have the same default role. I would > > > like all the users to use a certificate, but some of them with more > > > privileges. > > > How can I adapt the handler to have a different role for some > > > certificates. > > > Daniel, > > > > > > > Hi Daniel, > > > > you need to set SSLVerify Options AND set the "ExportCertData" option: > > > > SSLVerifyClient optional > > > > SSLVerifyDepth 3 > > > > SSLCACertificateFile /etc/apache2/ssl/root.pem > > > > SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire > > > > <Directory /usr/lib/cgi-bin> > > > > > > > > SSLOptions +StdEnvVars > > > > > > > > > > > > </Directory> > > > > Oliver > > > > Am 17.05.19 um 09:24 schrieb daniel.Jackson.fr via OpenXPKI-users: > > > > > > > > > Hi everyone, > > > > > I have configured the apache server to force the user to use HTTPS > > > > > instead of HTTP. I am working on my own PC (localhost) so i add in > > > > > /etc/hosts: > > > > > 127.0.0.1 openxpki.com > > > > > So with my apache configuration, when I type openxpki.com (I am > > > > > redirected to localhost/openpki). > > > > > The user also need to have a certificate delivered by the right CA to > > > > > access to the OpenXPKI webui. (Apache2 conf). > > > > > However, I also wanted to use the authentification by certificate > > > > > present in the default settings, but everytime I try to use it, the > > > > > webui says: > > > > > """ > > > > > Required information is missing! > > > > > Your web browser failed to present the required information to log in > > > > > using the chosen login method. > > > > > Please select a different type of authentication. Go back to login > > > > > page. > > > > > """ > > > > > I got this on the webui log file : > > > > > 2019/05/17 09:32:09 check for cgi session, fcgi pid 22209 > > > > > [pid=22209|sid=53d6] > > > > > 2019/05/17 09:32:09 session id (front) is > > > > > 5774934edc498239ef973eef5a79ad97 [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 Use provided client instance [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 First session reinit with id init > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 New backend session with id > > > > > cZjG5Wm+Qy+wAMoQ5qiBUw== > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 current session status GET_PKI_REALM > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 Generate rtoken [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 Baseurl from referrer: [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 request handled [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 check for cgi session, fcgi pid 22209 > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 session id (front) is > > > > > 5774934edc498239ef973eef5a79ad97 [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 Use provided client instance [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 First session reinit with id > > > > > cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 Resume backend session with id > > > > > cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 current session status GET_PKI_REALM > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 not logged in - doing auth - page is login - > > > > > action > > > > > is [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:09 request handled [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 check for cgi session, fcgi pid 22209 > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 session id (front) is > > > > > 5774934edc498239ef973eef5a79ad97 [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 Use provided client instance [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 First session reinit with id > > > > > cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 Resume backend session with id > > > > > cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 current session status GET_PKI_REALM > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 not logged in - doing auth - page is - action is > > > > > login!realm [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 set realm in session: ca-one [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 Selected realm ca-one, new status > > > > > GET_AUTHENTICATION_STACK [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:10 request handled [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:13 check for cgi session, fcgi pid 22209 > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:13 session id (front) is > > > > > 5774934edc498239ef973eef5a79ad97 [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:13 Use provided client instance [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:13 First session reinit with id > > > > > cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:13 Resume backend session with id > > > > > cZjG5Wm+Qy+wAMoQ5qiBUw== [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:13 current session status GET_AUTHENTICATION_STACK > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:13 not logged in - doing auth - page is - action is > > > > > login!stack [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:13 set auth_stack in session: Client Certificate > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:13 Authentication stack: Client Certificate > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:14 Selected realm ca-one, new status > > > > > GET_CLIENT_X509_LOGIN [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:14 Requested login type CLIENT_X509 > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:14 Certificate missing for X509 Login > > > > > [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:14 session logout [pid=22209|sid=5774] > > > > > 2019/05/17 09:32:14 request handled [pid=22209|sid=5774] > > > > > The final idea would be to create a double authentification system: > > > > > > > > > > - The certificate to identify the user (possess a proof) > > > > > - The password to authentificate the user (knows a secret) > > > > > > > > > > Did i miss something ? The user certificate had been imported in the > > > > > browser (Mozilla firefox), and used to access to the webui. I don't > > > > > understand why it does not work. > > > > > Daniel > > > > > OpenXPKI-users mailing list > > > > > [email protected] > > > > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > > > -- > > > > Protect your environment - close windows and adopt a penguin! > > > > OpenXPKI-users mailing list > > > > [email protected] > > > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > OpenXPKI-users mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > -- > > Protect your environment - close windows and adopt a penguin! > > OpenXPKI-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
