New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traefik should prompt for MTLs client certificates in the browser #10643
Comments
Hi @Daniel-dev22, thanks for your contribution :). This is an interesting proposal, let's see what the community thinks about it, and depending on the feedback, we might implement an enhancement in the future. |
Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate. |
Can you share your MTLs configuration? Are you requiring and verifying the certificate? MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser. |
This part of the configuration looks like this: tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
cert:
minVersion: VersionTLS12
sniStrict: true
clientAuth:
clientAuthType: RequireAndVerifyClientCert
caFiles:
- /etc/traefik/cert/device.ca.crt
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
tls:
options: cert
certresolver: letsencrypt
domains:
- main: "example.com"
sans:
- "*.example.com"
middlewares:
- gzip
http:
routers:
foo:
rule: Host(`example.com`)
entryPoints: https
service: foo
services:
foo:
loadBalancer:
servers:
- url: "http://server-foo:80" |
Not sure how I could have it setup incorrectly my server side has. This works where 1 traefik instance successfully communicates to the server side over MTLs. So I would assume if that works but the browser doesn't prompt it's setup partially correct? What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.
Client side has
|
Certificate chain: device.ca.crt looks like this: |
I think that's probably the difference. I don't have a device.ca I just have client.crt is the device.ca something you added to traefik config or the actual client certificate store? Curious why this works for me with Cloudflare and I never added anything to the device certificate store other than the client certificate. Edit... |
Yep that was it. Just added the client key and client cert into a p12 and installed on the client and it works now. I'm getting a prompt. Thank you for the sanity check @Scribing this can be closed now. |
👏 |
Welcome!
What did you expect to see?
When using
RequireAndVerifyClientCert
traefik doesn't request the certificate from clients such as in the browser.I'm not sure if
RequestClientCert
would work to trigger a browser prompt but it's not something I would even consider using becauseRequestClientCert
doesn't require and # verify certificates. It simply lets you provide anything or nothing which defeats the purpose of MTLs authentication in my opinion.Cloudflare for example properly does MTLs prompts and if the client certificate is not provided/not verified you can block the client from accessing the resource. Cloudflare isn't the only service that implements this correctly.
A quick Google search for "browser MTLs prompt" will show what I'm referring to.
Traefik never prompts for a certificate resulting in it failing with
ERR_BAD_SSL_CLIENT_AUTH_CERT
Similar issues have been posted in the past however for some reason this still hasn't been implemented. Essentially limiting MTLs to server to server communication vs also being compatible with clients such as end user devices.
It's surprisingly hard to find how Cloudflare even does this.
Not sure this is the same thing as the server requesting this since this seems more frontend related and what Cloudflare and others do is not frontend related it happens before frontend connection even occurs.
https://www.electronjs.org/docs/latest/api/app#event-select-client-certificate
Here's how the prompt looks.
The text was updated successfully, but these errors were encountered: