I wish to be able to pass a user certificate as well as the intermediate (and CA certificates ?) for this bouncer to be able to login to the LAPI using the provided user certificate.
This way it allows to auto-&acceptregister the bouncer instead of having to generate an api key or approve the bouncer.
new environment variables could be
CROWDSEC_BOUNCER_CERT_FILE path to the client cert file inside the container (mounted with volume or other secrets mechanisms)
CROWDSEC_BOUNCER_KEY_FILE path to the client cert key file inside the container (mounted with volume or other secrets mechanisms)
CROWDSEC_CACERT_FILE path to the trust authority signing the server certificate.
I'm not entirely sure why/how but I was expecting the above proposed CROWDSEC_CACERT_FILE to already be mandatory to use https for the LAPI when using a custom CA, but somehow this bouncer seems to accept my self-signed CA even though I did not do anything to tell him about my CA... I believe this means somewhere there is something trusting any provided certificate, probably not the best...
Hello,
I wish to be able to pass a user certificate as well as the intermediate (and CA certificates ?) for this bouncer to be able to login to the LAPI using the provided user certificate. This way it allows to auto-&acceptregister the bouncer instead of having to generate an api key or approve the bouncer.
new environment variables could be
CROWDSEC_BOUNCER_CERT_FILEpath to the client cert file inside the container (mounted with volume or other secrets mechanisms)CROWDSEC_BOUNCER_KEY_FILEpath to the client cert key file inside the container (mounted with volume or other secrets mechanisms)CROWDSEC_CACERT_FILEpath to the trust authority signing the server certificate.I'm not entirely sure why/how but I was expecting the above proposed
CROWDSEC_CACERT_FILEto already be mandatory to use https for the LAPI when using a custom CA, but somehow this bouncer seems to accept my self-signed CA even though I did not do anything to tell him about my CA... I believe this means somewhere there is something trusting any provided certificate, probably not the best...