Support for Client Certificates

[eomeara]

Can mod_wsgi-docker support client certificates? My wsgi app supports https successfully but indicates the SSL_CLIENT_CERT var isn't set when it tries to use it for client cert. I'm using curl outside the docker container to invoke https and also pass client.crt, client.key, similar to your gist Running HTTPS and client authentication with mod_wsgi-express. Is the gist newer than mod_wsgi-docker? How can I fix this? A newer mod_wsgi in requirements.txt?

[GrahamDumpleton]

Can you drop the link for the gist you are talking about here? I can't quickly find it right now.

[GrahamDumpleton]

One issue may be that although mod_wsgi-express has a section for generating:

SSLOptions +StdEnvVars

I can't see how the generation gets enabled. It may be a bug or something I didn't complete.

You can try creating a file httpd-ssl.conf and in it add:

SSLOptions +StdEnvVars

and then use the:

--include-file httpd-ssl.conf

option.

Am not sure whether this will work though as will be outside of the VirtualHost and not in it where SSL is setup.

[eomeara]

The gist is https://gist.github.com/GrahamDumpleton/b79d336569054882679e

[GrahamDumpleton]

Were you able to try the --include-file workaround?

[eomeara]

I gave it a quick try and it didn't work, but that may have been due to another problem. For the moment I'm going to use a client token instead of client certs. When I have everything else working I may retry client certs.

[GrahamDumpleton]

Can you confirm my interpretation of the issue, that is that the SSL_CLIENT_CERT variable isn't being passed in the WSGI environ dictionary? Or is the issue something else?

I will try and fix the issue I did see this weekend. I have been travelling doing training during the week and doing the same next week, so a little busy.

[GrahamDumpleton]

BTW, you could also add the option --setup-only when you run start-server. This will not actually start the server, but just generate the config.

Then go into the httpd.conf file that was generated and change:

<IfDefine MOD_WSGI_SSL_ENVIRONMENT>
SSLOptions +StdEnvVars
</IfDefine>

to:

#<IfDefine MOD_WSGI_SSL_ENVIRONMENT>
SSLOptions +StdEnvVars
#</IfDefine>

Then run:

./apachectl start

in the directory of generated files.

This will start it up in background.

Test it, then run:

./apachectl stop

As I said, wasn't sure whether what I gave you would work if outside of the VirtualHost.

[GrahamDumpleton]

Actually, I am an idiot and can't read my own code properly.

Just add the option:

--ssl-environment

That will result in variables being passed through for SSL to WSGI environ.

[GrahamDumpleton]

@eomeara Did you resolve your issue?

[eomeara]

Graham,

I abandoned the use of client certificates and used a shared secret instead.

Otherwise your code functioned as desired.

If I have time in the medium term I will explore using client certificates again.

I will let you know of my success, or not, at that time.

[GrahamDumpleton]

Okay. I will close this issue then.