Login with an SSL certificate: registered, no login

Support requests, bug reports, etc. go here. Dedicated servers / VDS hosting only
User avatar
joshp
Bear Rating Disaster
Bear Rating Disaster
Posts: 50
Joined: 31 Mar 2011, 11:31

Login with an SSL certificate: registered, no login

Postby joshp » 17 May 2016, 02:30

So, already running server side SSL using LetsEncrypt certificates, I began playing around with client side SSL in Apache. I Created a CA cert with open SSL, and signed a client key/cert for use in Chromium/Android, etc. I configured a Vhost that is set up with server side ssl with Lets Encrypt to require a valid client side cert signed with the custom CA in order to access content. Everything went well, so I moved to apply this to my TTRss v-host.

I put this in my virtual host config file:

Code: Select all

<VirtualHost my.ip.address:443>

   # SERVER SIDE SSL SETTINGS
   Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
   SSLEngine on                                                               
   SSLProtocol all -SSLv2 -SSLv3                                       
        SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
     SSLHonorCipherOrder     on
   SSLCompression          off
   ServerSignature Off
   AcceptPathInfo Off
   AddOutputFilterByType DEFLATE text/html text/plain text/xml application/pdf
   AddDefaultCharset UTF-8
   SSLOptions +StrictRequire 
 
   SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.com/privkey.pem
   SSLCertificateFile /etc/letsencrypt/live/my.domain.com/cert.pem
   SSLCertificateChainFile /etc/letsencrypt/live/my.domain.com/chain.pem

   # CLIENT SIDE CERTIFICATION SETTINGS

   SSLVerifyClient optional
   SSLVerifyDepth 10
   SSLOptions +StdEnvVars +ExportCertData

   SSLCACertificateFile /home/USER/path/to/Custom_CA-cacert.pem
    
    # VHOST SETTINS
    
   ServerName my.domain.com
   DocumentRoot /var/www/ttrss/
   <Directory /var/www/ttrss/>
           Options +FollowSymLinks
           AllowOverride All
           order allow,deny
           allow from all
   </Directory>

   ErrorLog /var/log/apache2/error-ttrss.log

   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   LogLevel debug
</VirtualHost>


This resulted in the ability to register my client certificate with TTRss. When I log out and restart Chrome I am prompted to associate my certificate with the VHOST, but then TTRss still asks me for a password. There is nothing in the error-ttrss.log (that I can identify) that gives me any clue.

How should I move forward form here?

JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: Login with an SSL certificate: registered, no login

Postby JustAMacUser » 17 May 2016, 05:33

You need to enable the auth_remote plugin. It's a system plugin and must be enabled in config.php.

User avatar
joshp
Bear Rating Disaster
Bear Rating Disaster
Posts: 50
Joined: 31 Mar 2011, 11:31

Re: Login with an SSL certificate: registered, no login

Postby joshp » 18 May 2016, 04:13

Thanks. Works like a charm.

User avatar
joshp
Bear Rating Disaster
Bear Rating Disaster
Posts: 50
Joined: 31 Mar 2011, 11:31

Re: Login with an SSL certificate: registered, no login

Postby joshp » 18 May 2016, 07:59

A little tidbit I thought I would share for Chrome/Chromium users on Linux.

I got pretty annoyed at the popup that kept coming at me asking me to select a certificate to authenticate to tt-rss with, seemed to kind of defeat the purpose. So I found this bit on adding the AutoSelectCertificateForUrls policy to chrome.

Just create the file /etc/chromium-browser/policies/managed/cert-autoload.json with the contents

Code: Select all

{
   "AutoSelectCertificateForUrls": ["{\"pattern\":\"https://EXAMPLE.DOMAIN.COM\",\"filter\":{\"ISSUER\":{\"CN\":\"YOUR_CA\"}}}", "{\"pattern\":\"https://DOMAIN.COM\",\"filter\":{\"ISSUER\":{\"CN\":\"YOUR_CA\"}}}"],
}


replacing the obvious example.domain and YOUR_CA with your own values. The example above shows how to incorporate more than one rule into the policy. The link provided should make it fairly easy to figure out how to change this up for chrome not chromium, and mac/windows, etc.

Using this there is never a need to login or authenticate against tt-rss in any way from the machine that has this cert loaded and policy set, for so long as your cert is valid.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Login with an SSL certificate: registered, no login

Postby fox » 18 May 2016, 08:36

this would be good to have as a separate thread in KB i think

User avatar
joshp
Bear Rating Disaster
Bear Rating Disaster
Posts: 50
Joined: 31 Mar 2011, 11:31

Re: Login with an SSL certificate: registered, no login

Postby joshp » 25 May 2016, 02:21

fox wrote:this would be good to have as a separate thread in KB i think


Ok,


Return to “Support”

Who is online

Users browsing this forum: No registered users and 9 guests