Traefik should prompt for MTLs client certificates in the browser about traefik HOT 9 CLOSED

Hi @Daniel-dev22, thanks for your contribution :). This is an interesting proposal, let's see what the community thinks about it, and depending on the feedback, we might implement an enhancement in the future.

from traefik.

Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.

from traefik.

Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.

Can you share your MTLs configuration? Are you requiring and verifying the certificate?

MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.

from traefik.

Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.

Can you share your MTLs configuration? Are you requiring and verifying the certificate?

MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.

This part of the configuration looks like this:

tls:
    options:
        default:
            minVersion: VersionTLS12
            sniStrict: true
          
        cert:
            minVersion: VersionTLS12
            sniStrict: true
            clientAuth:
                clientAuthType: RequireAndVerifyClientCert
                caFiles:
                   - /etc/traefik/cert/device.ca.crt
             
entryPoints:
    http:
        address: ":80"
    https:
        address: ":443"
        http:
            tls:
                options: cert
                certresolver: letsencrypt
                domains:
                  - main: "example.com"
                    sans:
                      - "*.example.com"
            middlewares:
               - gzip

http:
    routers: 
        foo:
            rule: Host(`example.com`) 
            entryPoints: https
            service: foo

    services: 
        foo:
          loadBalancer:
            servers:
              - url: "http://server-foo:80"

It works fine on Chrome and other mobile browsers:

from traefik.

Everything works fine for me with v2.11. You probably have the certificate set incorrectly and need to set it to the intermediate CA that issued the client certificate.

Can you share your MTLs configuration? Are you requiring and verifying the certificate?

MTLs works for me but doesn't prompt in the browser. I have traefik communicFing to another host running traefik and passing MTLs and it works. But if I try to go to that endpoint in the browser it doesn't prompt so I get the certificate verify failed error in the browser.

This part of the configuration looks like this:

tls:
    options:
        default:
            minVersion: VersionTLS12
            sniStrict: true
          
        cert:
            minVersion: VersionTLS12
            sniStrict: true
            clientAuth:
                clientAuthType: RequireAndVerifyClientCert
                caFiles:
                   - /etc/traefik/cert/device.ca.crt
             
entryPoints:
    http:
        address: ":80"
    https:
        address: ":443"
        http:
            tls:
                options: cert
                certresolver: letsencrypt
                domains:
                  - main: "example.com"
                    sans:
                      - "*.example.com"
            middlewares:
               - gzip

http:
    routers: 
        foo:
            rule: Host(`example.com`) 
            entryPoints: https
            service: foo

    services: 
        foo:
          loadBalancer:
            servers:
              - url: "http://server-foo:80"

It works fine on Chrome and other mobile browsers:

Not sure how I could have it setup incorrectly my server side has. This works where 1 traefik instance successfully communicates to the server side over MTLs. So I would assume if that works but the browser doesn't prompt it's setup partially correct? What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: le
        domain:
          main: domain.net
  options:
    mtls-tunnel:
      clientAuth:
        # in PEM format. each file can contain multiple CAs.
        caFiles:
          - /etc/traefik/mtls/ca.pem
        clientAuthType: RequireAndVerifyClientCert

Client side has

http:
    mtls:
     certificates:
       - certFile: /etc/traefik/mtls/client.pem
         keyFile: /etc/traefik/mtls/client-key.pem

from traefik.

What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.

Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crt

device.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----

from traefik.

What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.

Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crt

device.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----

I think that's probably the difference. I don't have a device.ca I just have client.crt is the device.ca something you added to traefik config or the actual client certificate store?

Curious why this works for me with Cloudflare and I never added anything to the device certificate store other than the client certificate.

Edit...
I think the reason I'm not getting prompted is because I didn't do exactly that I didn't add the traefik client cert to my device certificate store.. going to convert it to a p12 for Android and try that.

from traefik.

What does your ca.crt look like? Is there a difference between that and a ca.pem? I have the ca certificate inside the ca.pem and that's it.

Certificate chain:
root.ca --- signed --> device.ca --- signed --> client.crt

device.ca.crt looks like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----

I think that's probably the difference. I don't have a device.ca I just have client.crt is the device.ca something you added to traefik config or the actual client certificate store?

Curious why this works for me with Cloudflare and I never added anything to the device certificate store other than the client certificate.

Edit...
I think the reason I'm not getting prompted is because I didn't do exactly that I didn't add the traefik client cert to my device certificate store.. going to convert it to a p12 for Android and try that.

Yep that was it. Just added the client key and client cert into a p12 and installed on the client and it works now. I'm getting a prompt. Thank you for the sanity check @Scribing this can be closed now.

from traefik.

Just added the client key and client cert into a p12 and installed on the client and it works now.

👏

from traefik.