Unable to get client_authentication working with Caddy v2.0.0

rainc · May 16, 2020, 6:37pm

1. Caddy version (`caddy version`):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

a. System environment:

Linux rpi 5.4.35-1-ARCH #1 SMP PREEMPT Sun May 3 21:53:49 UTC 2020 armv7l GNU/Linux

Running standalone, no internet access. Trying and configuring caddy as regular user with executable, config and certs at $HOME/caddyserver/.

b. Command:

./caddy run --config test.json

d. My complete Caddyfile or JSON config:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "automatic_https": { "disable_redirects": true },
          "listen": [ "127.0.0.1:8080" ],
          "routes": [
            {
              "handle": [
                {
                  "encodings": { "gzip": {} },
                  "handler": "encode"
                },
                {
                  "handler": "file_server",
                  "hide": [ "Caddyfile" ]
                }
              ]
            }
          ],
          "tls_connection_policies": [
            {
              "certificate_selection": {
                "any_tag": [ "cert0" ]
              },
              "client_authentication": {
                "trusted_ca_certs": [ "/home/user/caddyserver/ca.crt" ]
              }
            }
          ],
          "logs": { "default_logger_name": "log0" }
        }
      }
    },
    "tls": {
      "certificates": {
        "load_files": [
          {
            "certificate": "/home/user/caddyserver/selfsigned.crt",
            "key": "/home/user/caddyserver/selfsigned.key",
            "tags": [ "cert0" ]
          }
        ]
      },
      "automation": {
        "policies": [
          {
            "issuer": {
              "challenges": { "bind_host": "127.0.0.1" },
              "module": "acme"
            }
          }
        ]
      }
    }
  },
  "admin": { "disabled": true },
  "logging": {
    "logs": {
      "default": {
        "exclude": [ "http.log.access.log0" ]
      },
      "log0": {
        "level": "DEBUG",
        "writer": { "output": "stdout" },
        "encoder": { "format": "console" },
        "include": [ "http.log.access.log0" ]
      }
    }
  }
}

3. The problem I’m having:

Unable to get client_authentication working for Caddy v2.
I’ve generated CA root cert (openssl req -new -x509 -days 3650 -key ca.key -out ca.crt) from RSA 4096 key and included path to ca.crt in JSON Config (tls_connection_policies/client_authentication/trusted_ca_certs). However caddy fails to run and throws an error.

4. Error messages and/or full log output:

[INFO][cache:0x3b8e000] Stopped certificate maintenance routine
run: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up TLS connection policies: connection policy 0: building standard TLS config: configuring TLS client authentication: parsing certificate: illegal base64 data at input byte 24

5. What I already tried:

Spent significant time searching for mistakes, looked at this forum and other places online, tested many different certificate formats and initial root key types. Strangely even if I provide incorrect path (to a non existing file i.e. “trusted_ca_certs”: ["/var/tmp/foobar.crt"]) - I get similar error except different input byte number.

Same ca.crt works as expected with Caddy v1 (in Caddyfile tls { clients ... }) therefore either v2 requires something different or could there be some bug…?

Any ideas appreciated. Thank you!

matt · May 16, 2020, 6:54pm

Welcome Rai –

As the docs for trusted_ca_certs say:

A list of base64 DER-encoded CA certificates against which to validate client certificates. Client certs which are not signed by any of these CAs will be rejected.

You have provided a filename, not a base64 DER-encoded CA certificate.

(There’s a PR to allow specifying filenames in the works.)

rainc · May 16, 2020, 7:49pm

Thank you Matt for quick response and sorry for not grasping doc details to the fullest extent (have to admit as a non native English speaker - all this TLS/crypto stuff is rather confusing…).

I might wait for update allowing filenames, however maybe if it isn’t too much burden - could you point me a bit more what I’m missing:

If I understand correctly - I should insert CA directly into JSON Config. So I took .crt lines between -----BEGIN/END CERTIFICATE-----, joined continuously to single line (as an another way tried and got same result by converting .crt to binary .der using openssl --outform der then used python b64encode() to convert bytes to string) and put those 1800+ ASCII characters inside:

"client_authentication": {
  "trusted_ca_certs": ["MIIFTzCC........OIw=="]
}

Still getting similar error illegal base64 data at input byte 15.

Once again my apologies for such elementary blunder

francislavoie · May 16, 2020, 8:03pm

Hmm. Try this instead of python (just to reduce the possibility of an error there):

$ cat your_der_file.der | base64

But the string you gave looks correct…

If you paste the base64 into ASN.1 JavaScript decoder does it parse ok? (Don’t worry, that site is 100% client-side JS, you won’t be sending your cert to it)

rainc · May 16, 2020, 8:15pm

Got everything working! (shamefully had several JSON config backups and been updating one file while feeding another to caddy - ugghh better to take rest on weekends)…

Thank you for great project and amazing support!

system · June 15, 2020, 6:37pm

This topic was automatically closed after 30 days. New replies are no longer allowed.