Traefik should prompt for MTLs client certificates in the browser

[Daniel-dev22]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

When using RequireAndVerifyClientCert traefik doesn't request the certificate from clients such as in the browser.

I'm not sure if RequestClientCert would work to trigger a browser prompt but it's not something I would even consider using because RequestClientCert doesn't require and # verify certificates. It simply lets you provide anything or nothing which defeats the purpose of MTLs authentication in my opinion.

Cloudflare for example properly does MTLs prompts and if the client certificate is not provided/not verified you can block the client from accessing the resource. Cloudflare isn't the only service that implements this correctly.

A quick Google search for "browser MTLs prompt" will show what I'm referring to.

Traefik never prompts for a certificate resulting in it failing with ERR_BAD_SSL_CLIENT_AUTH_CERT

Similar issues have been posted in the past however for some reason this still hasn't been implemented. Essentially limiting MTLs to server to server communication vs also being compatible with clients such as end user devices.

It's surprisingly hard to find how Cloudflare even does this.

Not sure this is the same thing as the server requesting this since this seems more frontend related and what Cloudflare and others do is not frontend related it happens before frontend connection even occurs.
https://www.electronjs.org/docs/latest/api/app#event-select-client-certificate

Here's how the prompt looks.

[emilevauge]

Hi @Daniel-dev22, thanks for your contribution :). This is an interesting proposal, let's see what the community thinks about it, and depending on the feedback, we might implement an enhancement in the future.

[Scribing]

Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.

[Daniel-dev22]

Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.

Can you share your MTLs configuration? Are you requiring and verifying the certificate?

MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.

[Scribing]

Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.

Can you share your MTLs configuration? Are you requiring and verifying the certificate?

MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.

This part of the configuration looks like this:

tls:
    options:
        default:
            minVersion: VersionTLS12
            sniStrict: true
          
        cert:
            minVersion: VersionTLS12
            sniStrict: true
            clientAuth:
                clientAuthType: RequireAndVerifyClientCert
                caFiles:
                   - /etc/traefik/cert/device.ca.crt
             
entryPoints:
    http:
        address: ":80"
    https:
        address: ":443"
        http:
            tls:
                options: cert
                certresolver: letsencrypt
                domains:
                  - main: "example.com"
                    sans:
                      - "*.example.com"
            middlewares:
               - gzip

http:
    routers: 
        foo:
            rule: Host(`example.com`) 
            entryPoints: https
            service: foo

    services: 
        foo:
          loadBalancer:
            servers:
              - url: "http://server-foo:80"

It works fine on Chrome and other mobile browsers:

[Daniel-dev22]

Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.

Can you share your MTLs configuration? Are you requiring and verifying the certificate?

MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.

This part of the configuration looks like this:

tls:
    options:
        default:
            minVersion: VersionTLS12
            sniStrict: true
          
        cert:
            minVersion: VersionTLS12
            sniStrict: true
            clientAuth:
                clientAuthType: RequireAndVerifyClientCert
                caFiles:
                   - /etc/traefik/cert/device.ca.crt
             
entryPoints:
    http:
        address: ":80"
    https:
        address: ":443"
        http:
            tls:
                options: cert
                certresolver: letsencrypt
                domains:
                  - main: "example.com"
                    sans:
                      - "*.example.com"
            middlewares:
               - gzip

http:
    routers: 
        foo:
            rule: Host(`example.com`) 
            entryPoints: https
            service: foo

    services: 
        foo:
          loadBalancer:
            servers:
              - url: "http://server-foo:80"

It works fine on Chrome and other mobile browsers:

Not sure how I could have it setup incorrectly my server side has. This works where 1 traefik instance successfully communicates to the server side over MTLs. So I would assume if that works but the browser doesn't prompt it's setup partially correct? What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: le
        domain:
          main: domain.net
  options:
    mtls-tunnel:
      clientAuth:
        # in PEM format. each file can contain multiple CAs.
        caFiles:
          - /etc/traefik/mtls/ca.pem
        clientAuthType: RequireAndVerifyClientCert

Client side has

http:
    mtls:
     certificates:
       - certFile: /etc/traefik/mtls/client.pem
         keyFile: /etc/traefik/mtls/client-key.pem

[Scribing]

What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.

Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crt

device.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----

[Daniel-dev22]

What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.

Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crt

device.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----

I think that's probably the difference. I don't have a device.ca I just have client.crt is the device.ca something you added to traefik config or the actual client certificate store?

Curious why this works for me with Cloudflare and I never added anything to the device certificate store other than the client certificate.

Edit...
I think the reason I'm not getting prompted is because I didn't do exactly that I didn't add the traefik client cert to my device certificate store.. going to convert it to a p12 for Android and try that.

[Daniel-dev22]

What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.

Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crt

device.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----

I think that's probably the difference. I don't have a device.ca I just have client.crt is the device.ca something you added to traefik config or the actual client certificate store?

Curious why this works for me with Cloudflare and I never added anything to the device certificate store other than the client certificate.

Edit...
I think the reason I'm not getting prompted is because I didn't do exactly that I didn't add the traefik client cert to my device certificate store.. going to convert it to a p12 for Android and try that.

Yep that was it. Just added the client key and client cert into a p12 and installed on the client and it works now. I'm getting a prompt. Thank you for the sanity check @Scribing this can be closed now.

[Scribing]

Just added the client key and client cert into a p12 and installed on the client and it works now.

👏