Apache2 addition of strong authentificaion (with client certificate) with conf and letencrypt certificate

hello everyone,

I have a problem. I would like to add the client authentication with the conf and the certificates generated by the encrypt but it does not work either the certificate is not requested or it is rejected.

I tried to look on the forum for an equivalent subject but without success.

I generated the certificate via openssl and even adding the SSLCA … File / Path this does not work

I thought I read on some forum that adding authentication via client certification with letencrypt was not working.
Otherwise, do you have an example of a conf that seems to work.
Whether it’s in DocumentRoot or a directory I can’t get it to work, previously via a self-signed certificate it worked

My conf apache2 =>

....
            SSLCipherSuite HIGH:!aNULL:!MD5
            SSLHonorCipherOrder on

            SSLEngine on
            SSLVerifyClient none
            Include /etc/letsencrypt/options-ssl-apache.conf
            SSLCertificateFile /etc/letsencrypt/live/xxxxxx.fr/fullchain.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxx.fr/privkey.pem
            SSLCertificateChainFile /etc/letsencrypt/live/xxxxxx.fr/chain.pem

            Redirect  "/git-repository/""https://xxxxxx.fr/cgit"

----------------------------------- CGIT ------------------------------------------------#

            ScriptAlias /cgit/ "/usr/lib/cgit/cgit.cgi/"
            RedirectMatch ^/cgit$ /cgit/
            Alias /cgit-css "/usr/share/cgit/"
            <Directory "/usr/lib/cgit/">
                SSLRequireSSL
                SSLOptions +StrictRequire
                Satisfy any
                SSLVerifyClient require
                Options ExecCGI FollowSymlinks
            </Directory>

Thanks in advance

1 Like

This is contradictory to:

Because you can’t generate a Let’s Encrypt certificate with OpenSSL.

Also:

This disables client authentication.

Well, that’s rather mandatory for client authentication to work. You’ve probably used it when you previously used your self-signed certificate?

It could work (i.e., technically possible), but it’s highly unusual to use domain validation certificates for this usage.

In any case, I think there is enough missing and/or contradictory information to give any precise advice.

1 Like

Hello
I misspoke, sorry my english is not correct, to clarify:

  • Because you can’t generate a Let’s Encrypt certificate with OpenSSL.

I generate the certificat with cerbot, then I generate a certicate with client by openssl

openssl genrsa -out xxxxxxx.key 2048
openssl req -new -key xxxxxxx.key -out xxxxxxx.csr -subj ${subjetclient}
openssl x509 -req -in xxxxxxx.csr -CA /etc/letsencrypt/live/xxxxxxx.fr/fullchain.pem -CAkey /etc/letsencrypt/live/xxxxxxx.fr/privkey.pem -CAcreateserial -out ./xxxxxxx.crt -days 3650
openssl pkcs12 -export -in xxxxxxx.crt -inkey xxxxxxx.key -out xxxxxxx.p12 -name “client certificate”
openssl pkcs12 -info -in xxxxxxx.p12
openssl rsa -in xxxxxxx.key -passin pass:xxxxxxx -pubout -out xxxxxxx.public.key

  • SSLVerifyClient none

To apache2 doc you can force clients to authenticate using certificates for a particular URL, but still allow any anonymous client to access the rest of the server.


SSLEngine on
SSLVerifyClient none
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/xxxxxx.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxx.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/xxxxxx.fr/chain.pem
SSLCACertificateFile /etc/apache2/cert_trustclient/xxxxxx.crt

<Directory “/usr/lib/cgit/”>
SSLRequireSSL
SSLOptions +StrictRequire
Satisfy any
SSLVerifyClient require
Options ExecCGI FollowSymlinks

1 Like

It seems you are trying to use the LE provided DA cert (your “client cert”) as a trusted CA to authorize similar “client certs”.
That is not possible, your LE cert would have had to be given Intermediate CA rights [which will never happen].

1 Like

For completeness: Let’s Encrypts end leaf certificates (and all other CA’s) have the following flag:

        X509v3 Basic Constraints: critical
            CA:FALSE

This would break the chain if this cert was used to sign another certificate.

However, while you can’t use the LE certs to sign other certs, you can use the LE certs directly as a client certificate as they have the X509v3 Extended Key Usage also set for TLS Web Client Authentication. One could for example make a special subdomain user and have a separate subdomain under that subdomain for every user. I.e., koalas.user.example.com or rg305.user.example.com or osiris.user.example.com. Of course these certs would also need to be renewed within every 90 days.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.