Configure nginx certificate forwarding

[RequestForCoffee]

Fixes #64.

[Liblor]

Doesn't work for me: aslans01: RUNNING HANDLER [nginxinc.nginx : (Handler: All OSs) Start NGINX] ************** aslans01: fatal: [aslcert01]: FAILED! => {"changed": false, "msg": "Unable to start service nginx: Job for nginx.service failed because the control process exited with error code.\nSee \"systemctl status nginx.service\" and \"journalctl -xe\" for details.\n"} aslans01:

journal:

Nov 14 22:34:20 aslcert01 nginx[23629]: nginx: [emerg] unexpected ";" in /etc/nginx/conf.d/encrypted.conf:35 Nov 14 22:34:20 aslcert01 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE

encrypted.conf:

33        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
34        proxy_set_header X-Forwarded-Proto $scheme;
35        proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;;
36        proxy_http_version 1.1;

[keyctl]

@Liblor Hm, I was confused for a bit. I've actually merge this on top of another branch already, so I thought this should be fine. But I remember patching the nginx config manually, so thanks for pointing this out!

[RequestForCoffee]

@keyctl should I still push a change for this or are you taking care of it through manual merging?

[keyctl]

@RequestForCoffee I wanted to check out GitHub's editor anyway, hehe.

[Liblor]

Doesn't work for me... I still land on the login page. Freshly built vagrant setup

[keyctl]

Doesn't work for me... I still land on the login page. Freshly built vagrant setup

Can you explain in detail what you did?

[Liblor]

Sure:

Inside project (my machine): make up

Client:

• open "Login"
• Login as a3
• Generate new certificate
• Firefox Preferences: Certificates->View Certificates->Your Certificates->Import
• Logout
• Close Firefox
• open "Login" again
• pop-up for cert I want to use opens
• keep "remember this selection" and press ok

[keyctl]

Hm, on this branch, it does not work for me either. @RequestForCoffee, does it work for you? Maybe a merge broke something?

[RequestForCoffee]

@keyctl I will try and re-test this.

[RequestForCoffee]

@keyctl, @Liblor, the reason this does not work out-of-the-box are the additional changes to CertServer (updated CRL distribution point) and WebServer (logic to parse forwarded cert). In addition to provisioning the vagrant setup, locally build CertServer and WebServer have to be pushed; then, this works as intended.

[keyctl]

Oh right, I totoally forget about this like every time. @Liblor just pull the recent changes, and do a make push after setting up Vagrant (which can now be done by make clean build).

[RequestForCoffee]

Is it correct that there is no logout button when I log in using the certificate?

Correct, there is no standard or robust way to force the browser to "forget" a user's certificate choice from the server, so logging out is just restarting the browser.