By: Conan Malone user 17 May 2017 at 8:29 a.m. CDT

18 Responses
Conan Malone gravatar
I am trying to set up certificate based authentication on my Gluu server, so far I have set up a root CA and intermediate CA on the server and have generated a client certificate and installed it within my browser (firefox). Within Gluu I have the certificate script enabled and pointing the chain file attribute to my chain file within the server that is used to sign the certificates. When I access my application I get presented with the dialog box telling me to click login then choose the right cert but when I click login the browser takes a while to load and returns a 502 Bad Gateway.. All my requests get sent through a reverse proxy and I believe the reverse proxy will terminate any SSL requests so any ideas on how I would pass the client certificate through or what the problem might be? Only error I can find in any logs is from the ```/var/log/httpd/error_log``` which gives this error ``` [ssl:error] [pid 20571] [client 192.168.XX.XX:58638] AH02261: Re-negotiation handshake failed: Not accepted by client!?, referer: https://gluu.idp/oxauth/auth/cert/login ```

By Mohib Zico staff 17 May 2017 at 8:41 a.m. CDT

Mohib Zico gravatar
Hi Conan, Is certificate login okay if you are _not_ using reverse proxy?

By Conan Malone user 17 May 2017 at 9:08 a.m. CDT

Conan Malone gravatar
Within my organisation everything must go through the reverse proxy so there is no way to use this without the requests going through it

By Mohib Zico staff 17 May 2017 at 9:16 a.m. CDT

Mohib Zico gravatar
Ok. Seems like its your company policy. We need to create a test environment like yours and see whats up where. I will create an internal ticket for QA team and after that we might publish a doc or so for community usage. In the mean time I think you can talk to your sys admin who has control over apache.

By Conan Malone user 22 May 2017 at 4:24 a.m. CDT

Conan Malone gravatar
Was wondering if there was any progress on this or if there's anything I can supply to help? I can get access to the proxy but not sure how to pass the client cert through it and forward it to Gluu... I have tried adding a header within my proxy but doesn't seem to resolve issue. ``` proxy_set_header X-SSL-CERT $ssl_client_cert; ```

By Mohib Zico staff 22 May 2017 at 4:39 a.m. CDT

Mohib Zico gravatar
It's in the ToDo list. Sorry, it would be great if we could provide more bandwidth for community support for faster resolution of any community issue but it's not happening right now. According to list status, team is engaged for couple of Enterprise customers at this moment. We will let you know if we need anything from this side.

By Mohib Zico staff 22 May 2017 at 9:23 a.m. CDT

Mohib Zico gravatar
Conan, A quick question.. what kind of reverse proxy you are using? Apache or nginx based?

By Conan Malone user 22 May 2017 at 10:23 a.m. CDT

Conan Malone gravatar
Nginx based proxy

By Mohib Zico staff 22 May 2017 at 10:23 a.m. CDT

Mohib Zico gravatar
Thanks much!

By Mohib Zico staff 25 May 2017 at 11:13 a.m. CDT

Mohib Zico gravatar
Hi Conan, [Here](https://www.youtube.com/watch?v=JN-3T0IGgrs) is my testing result. I think I couldn't reproduce your issue. - 'nginx.gluu.org' is nginx proxy server - 'allinone3.gluu.org' is the Gluu server v3 which is having cert authN.

By Conan Malone user 31 May 2017 at 7:01 a.m. CDT

Conan Malone gravatar
Would it be possible to see your nginx config?

By Mohib Zico staff 31 May 2017 at 7:02 a.m. CDT

Mohib Zico gravatar
Sure, I'll share.

By Mohib Zico staff 02 Jun 2017 at 10:16 a.m. CDT

Mohib Zico gravatar
Here is the config of 'vhost.conf' [ my modified configuration for nginx server ]. upstream is showing the IP of Gluu Server which is behind of this proxy server. ``` root@nginx:/etc/nginx/sites-available# cat vhost.conf server { listen 192.168.0.135:443 ssl; # SSL config ssl on; ssl_certificate /etc/nginx/ssl/cert.crt; ssl_certificate_key /etc/nginx/ssl/private.key; # Make site accessible from http://localhost/ server_name nginx.gluu.org; set $upstream 192.168.0.123; location / { proxy_pass_header Authorization; proxy_pass https://$upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; proxy_ssl_session_reuse off; } } ```

By Conan Malone user 05 Jun 2017 at 4:58 a.m. CDT

Conan Malone gravatar
Hi, I have tried using your nginx config on my reverse proxy and still seem to be coming across the error where my browser is returning a 502 bad gateway when clicking on the login button (that should pop up a list of certificates to choose from). It's almost as if something is getting blocked and Gluu can't get access to the browsers certificates. Again from the logs within Gluu the only error I am receiving is this one ``` [Mon Jun 05 10:28:58.545075 2017] [ssl:error] [pid 21763] [client 192.168.XX.XX:48140] AH02261: Re-negotiation handshake failed: Not accepted by client!?, referer: https://my.gluu.idp/oxauth/auth/cert/login ``` When accessing the page and clicking the login button I also get this result in the oxauth log file wonder if you can spot anything that may be going on in here? ``` 2017-06-05 10:53:45,809 DEBUG [qtp1395089624-345] [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:147) - Attempting to request authorization: responseType = code id_token, clientId = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB, scope = openid profile email user_name, redirectUri = https://my.gluu.idp/identity/authentication/authcode, nonce = nonce, state = null, request = null, isSecure = true, requestSessionState = null, sessionState = null 2017-06-05 10:53:45,810 DEBUG [qtp1395089624-345] [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:153) - Attempting to request authorization: acrValues = cert, amrValues = null, originHeaders = null, codeChallenge = null, codeChallengeMethod = null 2017-06-05 10:53:45,817 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,818 DEBUG [qtp1395089624-345] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:43) - Checking scopes policy for: openid profile email user_name 2017-06-05 10:53:45,828 DEBUG [qtp1395089624-345] [org.xdi.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:63) - Granted scopes: [openid, user_name, profile, email] 2017-06-05 10:53:45,829 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,830 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:80) - Validating redirection URI: clientIdentifier = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB, redirectionUri = https://my.gluu.idp/identity/authentication/authcode, found = 4 2017-06-05 10:53:45,830 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:86) - Comparing https://my.gluu.idp/identity/scim/auth == https://my.gluu.idp/identity/authentication/authcode 2017-06-05 10:53:45,831 DEBUG [qtp1395089624-345] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:86) - Comparing https://my.gluu.idp/identity/authentication/authcode == https://my.gluu.idp/identity/authentication/authcode 2017-06-05 10:53:45,860 DEBUG [qtp1395089624-156] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,875 DEBUG [qtp1395089624-156] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:247) - Executing python 'getPageForStep' authenticator method 2017-06-05 10:53:45,944 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:337) - Validating acr_values: 'cert' 2017-06-05 10:53:45,944 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:132) - Executing python 'isValidAuthenticationMethod' authenticator method 2017-06-05 10:53:45,945 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:221) - Executing python 'prepareForStep' authenticator method 2017-06-05 10:53:45,946 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:234) - Executing python 'getExtraParametersForStep' authenticator method 2017-06-05 10:53:45,956 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,957 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:45,958 DEBUG [qtp1395089624-322] [org.xdi.oxauth.service.ClientService] (ClientService.java:128) - Found 1 entries for client id = @!1C46.38AE.D077.C150!0001!849C.7440!0008!3604.E9CB 2017-06-05 10:53:53,541 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:171) - Executing python 'authenticate' authenticator method 2017-06-05 10:53:53,543 DEBUG [qtp1395089624-161] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:233) - Authentication result for user 'null'. auth_step: '1', result: 'true', credentials: '1,933,581,664' 2017-06-05 10:53:53,543 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:260) - Executing python 'getApiVersion' authenticator method 2017-06-05 10:53:53,544 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:234) - Executing python 'getExtraParametersForStep' authenticator method 2017-06-05 10:53:53,545 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:158) - Executing python 'getCountAuthenticationSteps' authenticator method 2017-06-05 10:53:53,549 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:247) - Executing python 'getPageForStep' authenticator method 2017-06-05 10:53:53,550 DEBUG [qtp1395089624-161] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:234) - Executing python 'getExtraParametersForStep' authenticator method ``` Any help or ideas would be great thanks.

By Conan Malone user 05 Jun 2017 at 5:07 a.m. CDT

Conan Malone gravatar
What exactly is required (if anything) within the file ```/etc/certs/cert_creds.json``` maybe I am missing something from there that could be causing an issue?

By Mohib Zico staff 05 Jun 2017 at 11:29 a.m. CDT

Mohib Zico gravatar
Hi Conan, >> What exactly is required (if anything) within the file /etc/certs/cert_creds.json Nothing much... Here is what inside my test server: ``` GLUU.root@allinone3:/etc/certs# cat cert_creds.json { "recaptcha":{ "enabled":false, "site_key":"", "secret_key":"" } } ``` >> When accessing the page and clicking the login button I also get this result in the oxauth log Which 'oxauth log'? oxauth.log? My tailing resulting something different for 'oxauth.log': ``` 2017-06-05 16:10:59,319 INFO [qtp242131142-16] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:519) - Attempting to redirect user: SessionUser: SessionState, dn='oxAuthSessionId=dafdf639-5d87-4c07-ae47-4a25412a416b,ou=session,o=@!F6A8.5900.F24B.2584!0001!8C21.4A85,o=gluu', id='dafdf639-5d87-4c07-ae47-4a25412a416b', isJwt=false, lastUsedAt=Mon Jun 05 16:10:59 UTC 2017, userDn='inum=@!F6A8.5900.F24B.2584!0001!8C21.4A85!0000!185C.0D40.79C7.7E6E,ou=people,o=@!F6A8.5900.F24B.2584!0001!8C21.4A85,o=gluu', authenticationTime=Mon Jun 05 16:10:59 UTC 2017, state=authenticated, permissionGranted=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@4e70dd8, sessionAttributes={auth_step=2, acr=cert, remote_ip=192.168.0.102, scope=openid profile email user_name, acr_values=cert, response_type=code id_token, redirect_uri=https://allinone3.gluu.org/identity/authentication/authcode, nonce=nonce, client_id=@!F6A8.5900.F24B.2584!0001!8C21.4A85!0008!1EA6.ABAE, auth_step_passed_1=true, cert_x509=MIIFBjCCAu6gAwIBAgIBZDANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlRYMQ8wDQYDVQQHDAZBdXN0aW4xEjAQBgNVBAoMCUdsdXUgSW5jLjELMAkGA1UECwwCSVQxGzAZBgNVBAMMEmFsbGlub25lMy5nbHV1Lm9yZzEfMB0GCSqGSIb3DQEJARYQc3VwcG9ydEBnbHV1Lm9yZzAeFw0xNzA1MjUxNTIxMjFaFw0xODA1MjUxNTIxMjFaMIGDMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzANBgNVBAcMBkF1c3RpbjESMBAGA1UECgwJR2x1dSBJbmMuMQ4wDAYDVQQLDAVNb2hpYjETMBEGA1UEAwwKTW9oaWIgWmljbzEdMBsGCSqGSIb3DQEJARYObW9oaWJAZ2x1dS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ3bfEiGWWkYV3J9LtGHc8P/xMr1oiKp+c98vhnbyZaSHvqPCaaczBuVz/mCEyn7JKWLIxVIGyd6jmaqugpSB18y/wmBCfKy95oQOx+XKAcYjwDRgICDfGvvNjpCZQA9GtECZIR0so1nAIzApFvmaZ4R4tURGwZB9LalRD4F5NHEQR0OG0NqzAC8yk2R97naqu+/kXVOCUHMPSWy3xG1JuDqjNzvPRvU96WppH+QKtNY2tKM8NgkYM0Xg46iaURRxC+KNF2E61hNHk9m2+EE8URLWdKcxn3tSBuBaJBceHvETrrqlSm8adAU3YN/C0bBrDeb5AMRDwzGnBcmqE3d7pAgMBAAGjfDB6MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgTwMB0GA1UdDgQWBBRrfPZPqIfwIHsfJwEHsBh8G0n22DAfBgNVHSMEGDAWgBSqcXdpcRy8+2U6HWRbiHkM7wUDRzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBABWcpM0Qp27NrxYXxx9d3D9IIbxQJDRUJekbEwA+MpzyyFDEBSOhyUXHSuG7xAhTKfodhdPl+84V3VUxa0RCTcpTsolrtF4x4ngrtSe7WNrDY0TYbhy4E0ws6wFAS9Hwr4myVWNRdJOsO/xfXMilNGadOIjHBvNBg6GkLr70PalZ7V8orI+fuT5uZCEDpSba6p0AhOK2Dpl5q4FdNYr6aQZQkKZpGIeV5kDxjo1sJCk5RCzTbA4lvgzppwQupA22cjxDV9euHWxqhqFe8e4NkOZxNfforpyW53x8Pt3KhjA53KV38h0Y76Cbktpza7SQYdG1VLEvEz87t9thUUb4k3mTMW4lob5ZJGcWBGU6/aRj1PglSLNrMqV9fRYwkQtTrlFMCDM/TyAaM4mHw7lCKdyCoa73nOeZI5ckKCJQOJK6xMj5jfsfo2HItQL/ty37U4McJSm3jdTqHhw4Hr6gTJZ0JbmzByIMt89swNt2BTyiifM+jc7XBQrxoVlBp05FK0pIeNmRW13NUNxrloL+BUD+t03QAhuTFE/feNXI5sT7Ooz3/+ei076uhT5/iMfzZpk7PTDnjJChApkas9PlPI7B2sB6ACxLarEK1aeTZPKYUc8A9INrV8ccshHO/Jzy0RJf0AnHJVNTIF00sIQGjRFIuBHmTNPXqUaK/1NwTlJ1, auth_user=mohib}, persisted=true} 2017-06-05 16:10:59,324 INFO [qtp242131142-16] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:527) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@4df5207b 2017-06-05 16:10:59,347 INFO [qtp242131142-16] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:323) - Authentication success for User: 'mohib' 2017-06-05 16:11:00,617 INFO [qtp242131142-15] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:189) - Authentication success for Client: '@!F6A8.5900.F24B.2584!0001!8C21.4A85!0008!1EA6.ABAE' ```

By Conan Malone user 07 Jun 2017 at 4:44 a.m. CDT

Conan Malone gravatar
oxauth.log yes, could you provide some guidance on how your CA and client certs were created for this? I'm guessing that the only thing that could be wrong would be SSL errors maybe using the wrong certificates.. I followed this tutorial to create root CA, intermediate CA and client certs.. https://jamielinux.com/docs/openssl-certificate-authority/introduction.html Once I had the root CA and intermediate CA I concatenated them to be left with the ```ca-chain.cert.pem``` I then create client certs for myself and converted them into 'pfx' format and imported them to my browser. Can't seem to see anything that is wrong with this but I'm no expert in SSL Regards, Conan

By Mohib Zico staff 07 Jun 2017 at 11:53 a.m. CDT

Mohib Zico gravatar
I followed [this](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/cert/Demo%20Configuration.md) doc to generate certs.

By Conan Malone user 21 Jun 2017 at 5:32 a.m. CDT

Conan Malone gravatar
I am still having problems with this.. I'll try to explain my set up in a bit more detail. I have a server (gluu.myserver.com) running Gluu which is setup to use a different outside name (mygluu.mydomain.com) which is served by a reverse proxy. When setting up Gluu I used mygluu.mydomain.com as the CN during setup.py. I have a nginx reverse proxy pointing mygluu.mydomain.com to gluu.myserver.com and setting the proxy_header 'host' as mygluu.mydomain.com. So when I access mygluu.mydomain.com I hit my reverse proxy which returns my Gluu install - all working fine so far (note I also have SSL certificates installed on my nginx proxy that serve the name mygluu.mydomain.com). The problem is when I try to do this certificate authentication - I go to click the login button and the reverse proxy returns a 502 gateway error. If I set the domain mygluu.mydomain.com to point directly to my gluu install via the hosts file in my computer then the certificate authentication works, it's only when I go through the nginx proxy that the authentication module does not work. I have even tried to use your exact nginx config on my reverse proxy but still no luck. A guess as to what is wrong would be the fact my gluu server serves a different domain than the reverse proxy does??