Hi Conan, Is certificate login okay if you are _not_ using reverse proxy?

Within my organisation everything must go through the reverse proxy so there is no way to use this without the requests going through it

Ok. Seems like its your company policy. We need to create a test environment like yours and see whats up where. I will create an internal ticket for QA team and after that we might publish a doc or so for community usage. In the mean time I think you can talk to your sys admin who has control over apache.

Was wondering if there was any progress on this or if there's anything I can supply to help? I can get access to the proxy but not sure how to pass the client cert through it and forward it to Gluu... I have tried adding a header within my proxy but doesn't seem to resolve issue. ``` proxy_set_header X-SSL-CERT $ssl_client_cert; ```

It's in the ToDo list. Sorry, it would be great if we could provide more bandwidth for community support for faster resolution of any community issue but it's not happening right now. According to list status, team is engaged for couple of Enterprise customers at this moment. We will let you know if we need anything from this side.

Conan, A quick question.. what kind of reverse proxy you are using? Apache or nginx based?

Nginx based proxy

Thanks much!

Hi Conan, [Here](https://www.youtube.com/watch?v=JN-3T0IGgrs) is my testing result. I think I couldn't reproduce your issue. - 'nginx.gluu.org' is nginx proxy server - 'allinone3.gluu.org' is the Gluu server v3 which is having cert authN.

Would it be possible to see your nginx config?

Sure, I'll share.

Here is the config of 'vhost.conf' [ my modified configuration for nginx server ]. upstream is showing the IP of Gluu Server which is behind of this proxy server. ``` root@nginx:/etc/nginx/sites-available# cat vhost.conf server { listen 192.168.0.135:443 ssl; # SSL config ssl on; ssl_certificate /etc/nginx/ssl/cert.crt; ssl_certificate_key /etc/nginx/ssl/private.key; # Make site accessible from http://localhost/ server_name nginx.gluu.org; set $upstream 192.168.0.123; location / { proxy_pass_header Authorization; proxy_pass https://$upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; proxy_ssl_session_reuse off; } } ```

Hi, I have tried using your nginx config on my reverse proxy and still seem to be coming across the error where my browser is returning a 502 bad gateway when clicking on the login button (that should pop up a list of certificates to choose from). It's almost as if something is getting blocked and Gluu can't get access to the browsers certificates. Again from the logs within Gluu the only error I am receiving is this one ``` [Mon Jun 05 10:28:58.545075 2017] [ssl:error] [pid 21763] [client 192.168.XX.XX:48140] AH02261: Re-negotiation handshake failed: Not accepted by client!?, referer: https://my.gluu.idp/oxauth/auth/cert/login ``` When accessing the page and clicking the login button I also get this result in the oxauth log file wonder if you can spot anything that may be going on in here? ``` 2017-06-05 10:53:45,809 DEBUG [qtp1395089624-345] [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:147) - Attempting to request authorization: responseType = code id_token, clientId = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB, scope = openid profile email user_name, redirectUri = https://my.gluu.idp/identity/authentication/authcode, nonce = nonce, state = null, request = null, isSecure = true, requestSessionState = null, sessionState = null 2017-06-05 10:53:45,810 DEBUG [qtp1395089624-345] [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:153) - Attempting to request authorization: acrValues = cert, amrValues = null, originHeaders = null, codeChallenge = null, codeChallengeMethod = null 2017-06-05 10:53:45,817 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,818 DEBUG [qtp1395089624-345] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:43) - Checking scopes policy for: openid profile email user_name 2017-06-05 10:53:45,828 DEBUG [qtp1395089624-345] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:63) - Granted scopes: [openid, user_name, profile, email] 2017-06-05 10:53:45,829 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,830 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:80) - Validating redirection URI: clientIdentifier = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB, redirectionUri = https://my.gluu.idp/identity/authentication/authcode, found = 4 2017-06-05 10:53:45,830 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:86) - Comparing https://my.gluu.idp/identity/scim/auth == https://my.gluu.idp/identity/authentication/authcode 2017-06-05 10:53:45,831 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:86) - Comparing https://my.gluu.idp/identity/authentication/authcode == https://my.gluu.idp/identity/authentication/authcode 2017-06-05 10:53:45,860 DEBUG [qtp1395089624-156] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,875 DEBUG [qtp1395089624-156] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:247) - Executing python 'getPageForStep' authenticator method 2017-06-05 10:53:45,944 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:337) - Validating acr_values: 'cert' 2017-06-05 10:53:45,944 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:132) - Executing python 'isValidAuthenticationMethod' authenticator method 2017-06-05 10:53:45,945 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:221) - Executing python 'prepareForStep' authenticator method 2017-06-05 10:53:45,946 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:234) - Executing python 'getExtraParametersForStep' authenticator method 2017-06-05 10:53:45,956 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,957 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,958 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:53,541 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:171) - Executing python 'authenticate' authenticator method 2017-06-05 10:53:53,543 DEBUG [qtp1395089624-161] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:233) - Authentication result for user 'null'. auth_step: '1', result: 'true', credentials: '1,933,581,664' 2017-06-05 10:53:53,543 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:260) - Executing python 'getApiVersion' authenticator method 2017-06-05 10:53:53,544 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:234) - Executing python 'getExtraParametersForStep' authenticator method 2017-06-05 10:53:53,545 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:158) - Executing python 'getCountAuthenticationSteps' authenticator method 2017-06-05 10:53:53,549 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:247) - Executing python 'getPageForStep' authenticator method 2017-06-05 10:53:53,550 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:234) - Executing python 'getExtraParametersForStep' authenticator method ``` Any help or ideas would be great thanks.

What exactly is required (if anything) within the file ```/etc/certs/cert_creds.json``` maybe I am missing something from there that could be causing an issue?

Hi Conan, >> What exactly is required (if anything) within the file /etc/certs/cert_creds.json Nothing much... Here is what inside my test server: ``` GLUU.root@allinone3:/etc/certs# cat cert_creds.json { "recaptcha":{ "enabled":false, "site_key":"", "secret_key":"" } } ``` >> When accessing the page and clicking the login button I also get this result in the oxauth log Which 'oxauth log'? oxauth.log? My tailing resulting something different for 'oxauth.log': ``` 2017-06-05 16:10:59,319 INFO [qtp242131142-16] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:519) - Attempting to redirect user: SessionUser: SessionState, dn='oxAuthSessionId=dafdf639-5d87-4c07-ae47-4a25412a416b,ou=session,o=@!F6A8.5900.F24B.2584!0001!8C21.4A85,o=gluu', id='dafdf639-5d87-4c07-ae47-4a25412a416b', isJwt=false, lastUsedAt=Mon Jun 05 16:10:59 UTC 2017, userDn='inum=@!F6A8.5900.F24B.2584!0001!8C21.4A85!0000!185C.0D40.79C7.7E6E,ou=people,o=@!F6A8.5900.F24B.2584!0001!8C21.4A85,o=gluu', authenticationTime=Mon Jun 05 16:10:59 UTC 2017, state=authenticated, permissionGranted=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@4e70dd8, sessionAttributes={auth_step=2, acr=cert, remote_ip=192.168.0.102, scope=openid profile email user_name, acr_values=cert, response_type=code id_token, redirect_uri=https://allinone3.gluu.org/identity/authentication/authcode, nonce=nonce, client_id=@!F6A8.5900.F24B.2584!0001!8C21.4A85!0008!1EA6.ABAE, auth_step_passed_1=true, cert_x509=MIIFBjCCAu6gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlRYMQ8wDQYDVQQHDAZBdXN0aW4xEjAQBgNVBAoMCUdsdXUgSW5jLjELMAkGA1UECwwCSVQxGzAZBgNVBAMMEmFsbGlub25lMy5nbHV1Lm9yZzEfMB0GCSqGSIb3DQEJARYQc3VwcG9ydEBnbHV1Lm9yZzAeFw0xNzA1MjUxNTIxMjFaFw0xODA1MjUxNTIxMjFaMIGDMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzANBgNVBAcMBkF1c3RpbjESMBAGA1UECgwJR2x1dSBJbmMuMQ4wDAYDVQQLDAVNb2hpYjETMBEGA1UEAwwKTW9oaWIgWmljbzEdMBsGCSqGSIb3DQEJARYObW9oaWJAZ2x1dS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ3bfEiGWWkYV3J9LtGHc8P/xMr1oiKp+c98vhnbyZaSHvqPCaaczBuVz/mCEyn7JKWLIxVIGyd6jmaqugpSB18y/wmBCfKy95oQOx+XKAcYjwDRgICDfGvvNjpCZQA9GtECZIR0so1nAIzApFvmaZ4R4tURGwZB9LalRD4F5NHEQR0OG0NqzAC8yk2R97naqu+/kXVOCUHMPSWy3xG1JuDqjNzvPRvU96WppH+QKtNY2tKM8NgkYM0Xg46iaURRxC+KNF2E61hNHk9m2+EE8URLWdKcxn3tSBuBaJBceHvETrrqlSm8adAU3YN/C0bBrDeb5AMRDwzGnBcmqE3d7pAgMBAAGjfDB6MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgTwMB0GA1UdDgQWBBRrfPZPqIfwIHsfJwEHsBh8G0n22DAfBgNVHSMEGDAWgBSqcXdpcRy8+2U6HWRbiHkM7wUDRzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBABWcpM0Qp27NrxYXxx9d3D9IIbxQJDRUJekbEwA+MpzyyFDEBSOhyUXHSuG7xAhTKfodhdPl+84V3VUxa0RCTcpTsolrtF4x4ngrtSe7WNrDY0TYbhy4E0ws6wFAS9Hwr4myVWNRdJOsO/xfXMilNGadOIjHBvNBg6GkLr70PalZ7V8orI+fuT5uZCEDpSba6p0AhOK2Dpl5q4FdNYr6aQZQkKZpGIeV5kDxjo1sJCk5RCzTbA4lvgzppwQupA22cjxDV9euHWxqhqFe8e4NkOZxNfforpyW53x8Pt3KhjA53KV38h0Y76Cbktpza7SQYdG1VLEvEz87t9thUUb4k3mTMW4lob5ZJGcWBGU6/aRj1PglSLNrMqV9fRYwkQtTrlFMCDM/TyAaM4mHw7lCKdyCoa73nOeZI5ckKCJQOJK6xMj5jfsfo2HItQL/ty37U4McJSm3jdTqHhw4Hr6gTJZ0JbmzByIMt89swNt2BTyiifM+jc7XBQrxoVlBp05FK0pIeNmRW13NUNxrloL+BUD+t03QAhuTFE/feNXI5sT7Ooz3/+ei076uhT5/iMfzZpk7PTDnjJChApkas9PlPI7B2sB6ACxLarEK1aeTZPKYUc8A9INrV8ccshHO/Jzy0RJf0AnHJVNTIF00sIQGjRFIuBHmTNPXqUaK/1NwTlJ1, auth_user=mohib}, persisted=true} 2017-06-05 16:10:59,324 INFO [qtp242131142-16] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:527) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@4df5207b 2017-06-05 16:10:59,347 INFO [qtp242131142-16] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:323) - Authentication success for User: 'mohib' 2017-06-05 16:11:00,617 INFO [qtp242131142-15] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:189) - Authentication success for Client: '@!F6A8.5900.F24B.2584!0001!8C21.4A85!0008!1EA6.ABAE' ```

oxauth.log yes, could you provide some guidance on how your CA and client certs were created for this? I'm guessing that the only thing that could be wrong would be SSL errors maybe using the wrong certificates.. I followed this tutorial to create root CA, intermediate CA and client certs.. https://jamielinux.com/docs/openssl-certificate-authority/introduction.html Once I had the root CA and intermediate CA I concatenated them to be left with the ```ca-chain.cert.pem``` I then create client certs for myself and converted them into 'pfx' format and imported them to my browser. Can't seem to see anything that is wrong with this but I'm no expert in SSL Regards, Conan

I followed [this](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/cert/Demo%20Configuration.md) doc to generate certs.

I am still having problems with this.. I'll try to explain my set up in a bit more detail. I have a server (gluu.myserver.com) running Gluu which is setup to use a different outside name (mygluu.mydomain.com) which is served by a reverse proxy. When setting up Gluu I used mygluu.mydomain.com as the CN during setup.py. I have a nginx reverse proxy pointing mygluu.mydomain.com to gluu.myserver.com and setting the proxy_header 'host' as mygluu.mydomain.com. So when I access mygluu.mydomain.com I hit my reverse proxy which returns my Gluu install - all working fine so far (note I also have SSL certificates installed on my nginx proxy that serve the name mygluu.mydomain.com). The problem is when I try to do this certificate authentication - I go to click the login button and the reverse proxy returns a 502 gateway error. If I set the domain mygluu.mydomain.com to point directly to my gluu install via the hosts file in my computer then the certificate authentication works, it's only when I go through the nginx proxy that the authentication module does not work. I have even tried to use your exact nginx config on my reverse proxy but still no luck. A guess as to what is wrong would be the fact my gluu server serves a different domain than the reverse proxy does??