Closed mbettsteller closed 6 months ago
/assign @rikatz /triage accepted /priority backlog
Ok, so taking a look here, the issue is ssl_verify_client
is a server directive, and we cannot disable it per location: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
An alternative you have is to set it as optional
and deal with it on your backend.
When cert auth is enabled, the var https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_verify is passed to the backend (see https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl#L1180) so you can turn it optional, but on your backends deny the authentication.
We can set on the template a validation enforcement or a new type of validation called on-without-restrictions
that tells us it is "optional", but should enforce denial if the ssl_client_verify is an error except on auth locations, but this would take a bit of time for me to implement right now.
So, my suggestion right now is to turn it optional and validate on backend, if this is possible
Hi, thank you very much for looking into this.
We can set on the template a validation enforcement or a new type of validation called
on-without-restrictions
that tells us it is "optional", but should enforce denial if the ssl_client_verify is an error except on auth locations, but this would take a bit of time for me to implement right now.So, my suggestion right now is to turn it optional and validate on backend, if this is possible
I will check back with our backend DEVs and see if that can be easily done. But it is vacation time, so might take a while :-). Will post later how we decided to go on.
Thanks!
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev
on Kubernetes Slack.
We got the same problem, is there any information if this will be fixed? Maybe by reordering in the nginx template?
When having a nginx.ingress.kubernetes.io/auth-tls-match-cn
annotation configured ingress-nginx responds with 403 client certificate unauthorized
. When the annotation is commented out it works as @mbettsteller already pointed out.
@strongjz Would a change like this be accepted? It would be really great if this issue could be fixed.
(tested and verified locally, as the problem is not the ssl_verify_client
directive itself but the reject if the client CN does not match when the certificate issuer requests /.well-known/acme-challenge
without a certificate obviously)
{{ if not ( empty $server.CertificateAuth.MatchCN ) }}
{{ if gt (len $server.CertificateAuth.MatchCN) 0 }}
location ~ ^/(?!(\.well-known/acme-challenge)) {
if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
return 403 "client certificate unauthorized";
}
}
{{ end }}
{{ end }}
What happened:
When using cert-manager to get an SSL cert in an ingress that also verifies the client with a client ssl cert and also uses auth-tls-match-cn the acme-challenge is blocked with a 403.
This does NOT happen when you do not use auth-tls-match-cn!
cert-manager(acme challenge ingress) + mTLS client auth = OK cert-manager(acme challenge ingress) + mTLS client auth + auth-tls-match-cn = NOK
What you expected to happen:
The location
/.well-known/acme-challenge/redacted/
should not be blocked as 403, so the challenge could be answered even when the auth-tls-match-cn is set in the ingress.What do you think went wrong?
When looking at the configuration that is being produced I see:
pretty early in the server section.
More detail:
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
NGINX Ingress controller Release: v1.5.1 Build: d003aae913cc25f375deb74f898c7f3c65c06f05 Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.21.6
Kubernetes version (use
kubectl version
):$ kubectl version Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.10", GitCommit:"e770bdbb87cccdc2daa790ecd69f40cf4df3cc9d", GitTreeState:"clean", BuildDate:"2023-05-17T14:12:20Z", GoVersion:"go1.19.9", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v4.5.7 Server Version: version.Info{Major:"1", Minor:"25+", GitVersion:"v1.25.10-eks-c12679a", GitCommit:"bbfa7e393476eb418f98a8c785721a006ba830cd", GitTreeState:"clean", BuildDate:"2023-05-22T20:31:17Z", GoVersion:"go1.19.9", Compiler:"gc", Platform:"linux/amd64"}
Environment:
Cloud provider or hardware configuration: AWS (EKS)
OS (e.g. from /etc/os-release): AMI 1.25.9-20230607
Kernel (e.g.
uname -a
): 5.10.179-168.710.amzn2.x86_64Install tools: helm (version.BuildInfo{Version:"v3.12.0", GitCommit:"c9f554d75773799f72ceef38c51210f1842a1dea", GitTreeState:"clean", GoVersion:"go1.20.3"})
How was the ingress-nginx-controller installed: