Authentication with client certificate fails during installation
RavilN opened this issue · 13 comments
Tried to run ejbca as container. Can generate client certificate and import it into browser, but when try to access ejbca/adminweb, authentication fails with error:
Authorization Denied
No client certificate was presented
If you did not get prompted to select a client certificate, please check that you have the correct certificate.
Although it does prompt to select the certificate and I do select SuperAdmin certificate.
Tried to run install multiple times, using different browers. In Firefox the certificate failed to import. In Chrome and Edge certificate is imported fine, but authentication fails.
Did you follow the basic tutorial, or have you made any custom configuration?
https://doc.primekey.com/ejbca/get-started-with-ejbca/try-out-ejbca-community-container
Yes, followed the tutorial, and repeated today again, the same result.
It asks to select client certificate, I do select it, it shows that was issues by ManagementCA, but then displays message that authorization is denied, no certificate was presented.
I have port number mapped to host port 9443, can this make difference?
When you say you mapped it to port 9443, what do you mean?
Do you mean this?
docker run -it --rm -p 98080:8080 -p 9443:8443 -h localhost -e TLS_SETUP_ENABLED="true" keyfactor/ejbca-ce
In general that should be no difference.
Hi, the Team,
Still, this issue cannot be resolved.
No matter what I do with the generated client certificate for super admin user: import it as a personal certificate, as a trusted root certificate, import the ManagementCA certificate which was used to sign it, as a trusted root certificate, it still is not accepted by ejbca.
I also tried to install the ejbca with the option TLS_SETUP_ENABLE=simple. In this can I can access ejbca without any authentication over https connection. I then generated a client authentication certificate for SuperAdmin as described in the tutorial. Modified roles to include this certificate. But then there is no way to turn off public access ket token, because it continues to login without authentication, and that member cannot be deleted as it is used at the current session. Then I tried to set the option web.requirecert to true in the web.properties file, and after that cannot login because client certificate is not still recognized.
Update:
This time I was accessing ejbca via cloudflare tunnel. When tried to access it directly, authencation with client certificate finally worked!
That is good. If you ever find out the technical reason why it didn't work your other ways I'm sure that would be interesting for the Community.
PS: making it easy to remove the public access token from superadmin role is something that is noticed and will be improved in the next feature release.
Oh, and it should actually be as easy as removing the Public Access Member from the Superadmin Role, as well as removing the Public Access Role.
I'm having this same issue. Following the tutorial, I get through step 6 (importing into browser) but identifying myself with the certificate fails. Wiped everything, started over, same thing. Tried in both Chrome and Firefox.
In Chrome, I see
In Firefox, I get an interaction:
If I uncheck "Remember this decision" it just re-pops the "identify yourself" interaction. If I leave it checked, I get a page failure similar to Chrome.
Oh, too funny. I changed nothing but it's working now. ...in Firefox. But chrome is still hosed... Trying in Chromium...
Same thing as Chrome. And this is the first time I've tried with Chromium so I know it's fresh.
All the browsers are working now. With Firefox, nothing changed but time. For the other two, I used FF to finish step 7 in the tutorial and they were working afterward. Did that make the difference for them or was it just a matter of time there, too?
No idea.
One thing depending on time is the certificate's validity start time. If ejbca is running on a different machine than where the browser runs, and if its time is ahead, and if the generated certificate start time was set to the current time, then the browser can consider it as not valid yet.
In my case, the reason was that ejbca was behind proxy, and the proxy was not propagating the request to present the client certificate in SSL handshake to the browser.