Client certificate authentication fails

Question

Client certificate authentication fails

Closed this issue 5 years ago · 4 comments

Expected behaviour

A client certificate is generated and correctly works when visiting nextcloud in Firefox and Chrome.
I expect to be able to use a client certificate for the nextcloud desktop client too.

Actual behaviour

Client certificate authentication works in the browser.

The desktop client fails after selecting the p12 certificate upon being prompted:
This site can’t provide a secure connection nextcloud.domain didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT

Steps to reproduce

Setup Nextcloud in Apache
Enable client certificate authentication in Apache
Try to login using a desktop client.

Client configuration Linux

Client version: Version 2.5.1final (build 20181204)

Operating system: Ubuntu 18.04.2

OS language: English

Qt version used by client package (Linux only, see also Settings dialog): Qt 5.11.0

Client package (From Nextcloud or distro) (Linux only): AppImage

Client configuration Windows

Client version: Version 2.5.1

Operating system: Windows 10 1809

OS language: English

Server configuration

Operating system: Raspbian GNU/Linux 9.8 (stretch)

Web server: Apache/2.4.25 (Raspbian)

Database: mysql Ver 15.1 Distrib 10.1.37-MariaDB, for debian-linux-gnueabihf (armv8l) using readline 5.2

PHP version: PHP 7.0.33-0+deb9u3

Nextcloud version: 15.0.6

Logs

Client logfile: https://gist.github.com/Evire/f4eb5cd5f112e79b3e0cd9c6d4c28813

Answer 1 · 2019-05-08T18:59:10.000Z

Could you try the latest version 2.5.2 or 2.5.3rc1? Thanks.

Answer 2 · 2019-06-09T13:42:46.000Z

Hi, sorry for the late response.
I've tried with Nextcloud-2.5.3.20190609-daily-x86_64.AppImage and got the same result.

Answer 3 · 2019-07-19T16:40:48.000Z

Same result here -- looking at the server logs it seems that NC tries to access /index.php/login/flow without actually using the certificate.

The requests we have logged from the desktop client are:
GET /status.php HTTP/2.0 (with certificate)
GET /remote.php/webdav/ HTTP/2.0 (with certificate)
PROPFIND /remote.php/webdav/ HTTP/2.0 (with certificate)
GET /index.php/login/flow HTTP/2.0 (no certificate is sent)
GET /favicon.ico HTTP/2.0 (no certificate is sent -- is this the web view?)

In our case the service is restricted to X509 client certificate (required at the web server)

Answer 4 · 2019-10-09T23:55:59.000Z

Client certificates have been fixed in our recent 2.6 release, you may get it here:
https://nextcloud.com/install/#install-clients