Client_auth certificates generation

MrNonoss · December 6, 2021, 9:35am

1. Caddy version (`caddy version`):

2.4.6

2. How I run Caddy:

a. System environment:

Linux vps-9f6b784f 5.11.0-41-generic (Ubuntu 21.04)
Install from package (apt install…)

b. Command:

No command. Systemctl does the trick himself

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.

d. My complete Caddyfile or JSON config:

:80 {
        basicauth * {
                XX password
        }
        root * /var/www/html
        file_server
        encode zstd gzip
        php_fastcgi unix//run/php/php8.1-fpm.sock
        header {
                X-Xss-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                X-Frame-Options "DENY"
                Content-Security-Policy "default-src 'self'; object-src 'self'; base-uri 'self'; frame-ancestors 'self'; img-src 'self'; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; worker-src 'none'; frame-src https://vps-9f6b784f>
                Referrer-Policy "strict-origin-when-cross-origin"
                Cache-Control "public, max-age=15, must-revalidate"
                Feature-Policy "accelerometer 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; sync-xhr 'none'; usb 'none'"
                Server "No."
        }
        log {
                output file /var/log/caddy/access.log {
                        roll_size 10MiB
                        roll_keep 100
                }
                level debug
        }
}

3. The problem I’m having:

Well, that is not a real problem but more a question related to client authentification.
I would like to generate a client certificate that users would install on their browser in order to access the website. The documentation is very clear on how to set this up with existing certificates, but tells nothing on how to create them.

My questions are:

For this purpose, what would be the the correct certificate? trusted_ca_cert or trusted_ca_cert? The difference between them is not very clear to me.
How should I generate it/them?
Should I provide the file or the base64 DER-encoded value (what’s more relevant)?

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

TLS Documentation

francislavoie · December 6, 2021, 4:56pm

It looks like you’re only serving on port 80 (HTTP).

To accept client certs, you must be serving over HTTPS, since the client certs are sent during the TLS handshake.

You wrote the same thing twice there. Could you clarify what you meant?

That’s out of scope of Caddy, it depends how you plan on maintaining issuance of client certs. Caddy doesn’t automatically do this, because it requires manual effort to do.

I suggest you do some research on this outside of Caddy. You could use smallstep maybe, to manage client certs.

Either one is fine. Easier to point to a file than copy a big piece of text into the config, but it depends how you’re maintaining the issuance

MrNonoss · December 6, 2021, 5:22pm

Many thanks for your replies @francislavoie

Yes, for now, since I’m at the dev stage and I do not have the domain name for the project, I do not want to mess with HTTPS. But if mandatory, I will.

You wrote the same thing twice there. Could you clarify what you meant?

Sure, my mistake. The question was related to trusted_ca_cert and trusted_leaf_cert

Thanks also for clarifying. I thought I had to use an inner function of caddy to generate them since they have to be trusted by the caddy ROOT CA.

francislavoie · December 6, 2021, 5:48pm

Yeah, client cert auth is not possible without HTTPS.

You can turn on Caddy’s internal cert issuer though, so you get Caddy to generate and maintain “essentially self-signed” server certs (Caddy will generate its own local CA which it can use to generate certificates to use for HTTPS, but those won’t be trusted by browsers since the root CA cert won’t be in their trust store – you can install Caddy’s root CA cert in their trust stores though)

Right, so that again depends on how the client certs will be generated and managed.

But in this case, those options are what tells Caddy what client certificates to trust.

If you’re using a managed CA to issue the client certs, then you’d use the trusted_ca_cert option, so Caddy can verify that the client cert was signed by that CA.

If you’re issuing one-off leaf certs, you can list them out in Caddy’s config one by one (leaf is the individual certs that are issued to clients, think of the “root” cert as the tree trunk which spawns of branches/leaves).

It’s probably easier in the long run to give Caddy the CA cert, so you don’t need to change Caddy’s config and reload every time you revoke or issue a new cert.

system · January 5, 2022, 9:35am

This topic was automatically closed after 30 days. New replies are no longer allowed.