By: Justin Offett user 04 Mar 2020 at 12:42 p.m. CST

6 Responses
Justin Offett gravatar
Hello, I've installed the example docker app from https://gluu.org/docs/ce/installation-guide/install-docker/. I've also spun up a dockerized apache with the mod_auth_openidc module installed and tested the simple_password_auth authentication. I then enabled the cert custom script with only the use_generic_validator enabled. After this, I've set the default acr to cert. I've added our CA as the /etc/certs/chain_cert.pem file and made that available to both the nginx and oxauth containers. When I try to access the protected resource, I see the login.htm page. However, when I select the "Login" button I am **not prompted for certs** as I expect. Instead, I see a "/oxauth/auth/cert/cert-not-selected.htm" page. I've tried clearing Firefox's Active Logins, restarting the browser, as well as using a Private Browsing session. Additionally, we've tried to update the nginx container's /etc/certs/gluu_https.crt and /etc/certs/gluu_https.key files to use certs signed by the CA in chain_cert.pem. I've also tried to enable 2-way SSL on the nginx container with "ssl_verify_client optional; ssl_client_certificate /etc/certs/chain_cert.pem;" within the nginx default.conf. This triggers a cert prompt when the initial login.htm page is hit, but the cert doesn't get used after pressing the "Login" button. There don't appear to be any errors in the logs, the oxauth_script.log simply shows that no cert was presented. I suspect an SSL issue, but at this point I'm not sure what else I should try. Thanks for your help! --Justin

By Michael Schwartz Account Admin 04 Mar 2020 at 1:15 p.m. CST

Michael Schwartz gravatar
Mutual TLS is configured in the web server. Make sure you have your web server configured properly for client certificate authn. BTW, if your firm might want to get a support contract, that can help expedite your deployment and make for a safer production operation. If a support plan is potentially of interest, you can schedule a call to chat about it at https://gluu.org/booking

By Justin Offett user 04 Mar 2020 at 2:28 p.m. CST

Justin Offett gravatar
Thanks Michael! We are still at the evaluation phase, but will consider a support plan. So having mutual TLS enabled on the nginx didn't seem to have an effect on the problem. I've also enabled it on the apache server I have serving up the protected resource. While both these options prompt me for certs, it happens before selecting the Login button and no cert is passed in after that. It looks like the oxauth service is using a jetty server listening on 8080. Would that need to be setup for SSL as well? --Justin

By Mohib Zico staff 09 Mar 2020 at 2:24 a.m. CDT

Mohib Zico gravatar
Hi Justin, We prepared a video for community on Cert AuthN configuration which is based on CE. I think first you can check how things work: https://www.youtube.com/watch?v=BcZb_nPOiNo&feature=youtu.be

By Justin Offett user 12 Mar 2020 at 11:20 a.m. CDT

Justin Offett gravatar
Mohib, Thank you very much for the link. I tried following the same steps you outline within the docker container and ended up with the same result, no prompt for user certs after selecting the "Login" button. I suspect this is due to the configuration of the oxauth within the docker example I was using. More specifically, I think the jetty server just wasn't configured for SSL client verification. I tried enabling that, but was met with errors from the oxTrust service. This may have been my fault though as I've not worked with jetty much. I ended up abandoning the docker example and instead installed per the CentOS instructions. After following the steps in your video, I was presented with a certificate prompt and was able to successfully authenticate. Thank you both for your help!

By Michael Schwartz Account Admin 12 Mar 2020 at 11:51 a.m. CDT

Michael Schwartz gravatar
You are probably right. BTW, oxAuth should never be Internet facing. There should be a web server like nginx, apache, haproxy, or envoy in front of it. And mutual tls would be configured there.

By Justin Offett user 12 Mar 2020 at 12:12 p.m. CDT

Justin Offett gravatar
Thanks Michael, that makes sense! We are fronting all calls with an apache configured to perform the mutual TLS, but despite sending the client cert info forward (or so I thought), the cert prompt never showed. Having said that, there could easily have been some misconfiguration between the fronting apache, the nginx reverse proxy, or the backend jetty server. Plenty of opportunities to drop that cert information. :)