5:45 a.m.
Hi there,
our IPA servers' https port is exposed to internet. I wanted to restrict access to Web
UI by requesting a user certificate issued by IPA and enabling Apache setting
"NSSVerifyClient require" (or "optional") in
/etc/httpd/conf.d/nss.conf
This, however, broke "ipa" command, which now started to fail like:
[user@im conf.d]$ ipa user-show user
ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
Questions:
Is it possible for "ipa" command to present sertificate to Apache server?
Anything else is going to break by such approach?
Thanks,
Ivars
5:50 a.m.
New subject: ipa command breaks by setting "NSSVerifyClient require"
On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote:
Hi there,
our IPA servers' https port is exposed to internet. I wanted to restrict access to Web
UI by requesting a user certificate issued by IPA and enabling Apache setting
"NSSVerifyClient require" (or "optional") in
/etc/httpd/conf.d/nss.conf
This, however, broke "ipa" command, which now started to fail like:
[user@im conf.d]$ ipa user-show user
ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
Questions:
Is it possible for "ipa" command to present sertificate to Apache server?
Not possible yet. Note that it is not only an issue of 'ipa' command,
there are also other commands that are used for join operation and
also require access to the HTTPS end point.
Prior to FreeIPA 4.5 there is no way to enable certificate
authentication to web UI at all. In 4.5 we added ability to authenticate
with certificates to web UI. However, none of the enrollment tools and
'ipa' utility were changed to allow such method.
It would probably be good to open a ticket to make sure cert-based
authentication would be supported by 'ipa' and enrollment tools.
Anything else is going to break by such approach?
See above.
--
/ Alexander Bokovoy
6:37 a.m.
New subject: ipa command breaks by setting "NSSVerifyClient require"
On Mon, May 29, 2017 at 01:50:28PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote:
> Hi there,
> our IPA servers' https port is exposed to internet. I wanted to restrict access
to Web UI by requesting a user certificate issued by IPA and enabling Apache setting
"NSSVerifyClient require" (or "optional") in
/etc/httpd/conf.d/nss.conf
> This, however, broke "ipa" command, which now started to fail like:
> [user@im conf.d]$ ipa user-show user
> ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
>
> Questions:
> Is it possible for "ipa" command to present sertificate to Apache server?
>
Hi Ivars,
I am curious about your use case. Is there some reason why you need
certificate authentication instead of Kerberos? Knowing why you
want to do this will help us decide when or whether to implement
this.
Thanks,
Fraser
> Not possible yet. Note that it is not only an issue of 'ipa' command,
> there are also other commands that are used for join operation and
> also require access to the HTTPS end point.
>
> Prior to FreeIPA 4.5 there is no way to enable certificate
> authentication to web UI at all. In 4.5 we added ability to authenticate
> with certificates to web UI. However, none of the enrollment tools and
> 'ipa' utility were changed to allow such method.
>
> It would probably be good to open a ticket to make sure cert-based
> authentication would be supported by 'ipa' and enrollment tools.
>
> > Anything else is going to break by such approach?
> See above.
> --
> / Alexander Bokovoy
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
7:56 a.m.
New subject: ipa command breaks by setting "NSSVerifyClient require"
I am not saying “instead of”. We are using standard authetication provided by FreeIPA, but
I want to protect Web UI interface from unwanted attention as it is, unfortunately,
exposed to entire internet. I’d be much happier if Apache could reject (or redirect) any
client which is not presenting required certificate even before any authentication attempt
is started.
That is not to say that the whole server is exposed, but 443 port is.
Ar laipniem sveicieniem,
Ivars Strazdiņš
On 2017. gada 29. maijs, at 17:07, Fraser Tweedale
<ftweedal(a)redhat.com> wrote:
On Mon, May 29, 2017 at 01:50:28PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
> On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote:
>> Hi there,
>> our IPA servers' https port is exposed to internet. I wanted to restrict
access to Web UI by requesting a user certificate issued by IPA and enabling Apache
setting "NSSVerifyClient require" (or "optional") in
/etc/httpd/conf.d/nss.conf
>> This, however, broke "ipa" command, which now started to fail like:
>> [user@im conf.d]$ ipa user-show user
>> ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
>>
>> Questions:
>> Is it possible for "ipa" command to present sertificate to Apache
server?
>>
Hi Ivars,
I am curious about your use case. Is there some reason why you need
certificate authentication instead of Kerberos? Knowing why you
want to do this will help us decide when or whether to implement
this.
Thanks,
Fraser
> Not possible yet. Note that it is not only an issue of 'ipa' command,
> there are also other commands that are used for join operation and
> also require access to the HTTPS end point.
>
> Prior to FreeIPA 4.5 there is no way to enable certificate
> authentication to web UI at all. In 4.5 we added ability to authenticate
> with certificates to web UI. However, none of the enrollment tools and
> 'ipa' utility were changed to allow such method.
>
> It would probably be good to open a ticket to make sure cert-based
> authentication would be supported by 'ipa' and enrollment tools.
>
>> Anything else is going to break by such approach?
> See above.
> --
> / Alexander Bokovoy
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
7:15 p.m.
New subject: ipa command breaks by setting "NSSVerifyClient require"
On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote:
I am not saying “instead of”. We are using standard authetication
provided by FreeIPA, but I want to protect Web UI interface from unwanted attention as it
is, unfortunately, exposed to entire internet. I’d be much happier if Apache could reject
(or redirect) any client which is not presenting required certificate even before any
authentication attempt is started.
That is not to say that the whole server is exposed, but 443 port is.
Thanks for explaining.
Cheers,
Fraser
> Ar laipniem sveicieniem,
> Ivars Strazdiņš
>
> > On 2017. gada 29. maijs, at 17:07, Fraser Tweedale <ftweedal(a)redhat.com>
wrote:
> >
> > On Mon, May 29, 2017 at 01:50:28PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> >> On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote:
> >>> Hi there,
> >>> our IPA servers' https port is exposed to internet. I wanted to
restrict access to Web UI by requesting a user certificate issued by IPA and enabling
Apache setting "NSSVerifyClient require" (or "optional") in
/etc/httpd/conf.d/nss.conf
> >>> This, however, broke "ipa" command, which now started to fail
like:
> >>> [user@im conf.d]$ ipa user-show user
> >>> ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
> >>>
> >>> Questions:
> >>> Is it possible for "ipa" command to present sertificate to
Apache server?
> >>>
> > Hi Ivars,
> >
> > I am curious about your use case. Is there some reason why you need
> > certificate authentication instead of Kerberos? Knowing why you
> > want to do this will help us decide when or whether to implement
> > this.
> >
> > Thanks,
> > Fraser
> >
> >> Not possible yet. Note that it is not only an issue of 'ipa'
command,
> >> there are also other commands that are used for join operation and
> >> also require access to the HTTPS end point.
> >>
> >> Prior to FreeIPA 4.5 there is no way to enable certificate
> >> authentication to web UI at all. In 4.5 we added ability to authenticate
> >> with certificates to web UI. However, none of the enrollment tools and
> >> 'ipa' utility were changed to allow such method.
> >>
> >> It would probably be good to open a ticket to make sure cert-based
> >> authentication would be supported by 'ipa' and enrollment tools.
> >>
> >>> Anything else is going to break by such approach?
> >> See above.
> >> --
> >> / Alexander Bokovoy
> >> _______________________________________________
> >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>
10:46 a.m.
New subject: ipa command breaks by setting "NSSVerifyClient require"
On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote:
On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote:
> I am not saying “instead of”. We are using standard authetication provided by
FreeIPA, but I want to protect Web UI interface from unwanted attention as it is,
unfortunately, exposed to entire internet. I’d be much happier if Apache could reject (or
redirect) any client which is not presenting required certificate even before any
authentication attempt is started.
> That is not to say that the whole server is exposed, but 443 port is.
>
Thanks for explaining.
Maybe I'm missing something in this thread, but couldn't the OP simply
put a reverse proxy in front of the Internet-exposed port?
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
6:29 p.m.
New subject: ipa command breaks by setting "NSSVerifyClient require"
On Tue, May 30, 2017 at 10:46:59AM -0500, Ian Pilcher via FreeIPA-users wrote:
On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote:
> On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote:
> > I am not saying “instead of”. We are using standard authetication provided by
FreeIPA, but I want to protect Web UI interface from unwanted attention as it is,
unfortunately, exposed to entire internet. I’d be much happier if Apache could reject (or
redirect) any client which is not presenting required certificate even before any
authentication attempt is started.
> > That is not to say that the whole server is exposed, but 443 port is.
> >
> Thanks for explaining.
Maybe I'm missing something in this thread, but couldn't the OP simply
put a reverse proxy in front of the Internet-exposed port?
What you are missing: the client tools do not support certificate
authentication (yet).
10:48 a.m.
New subject: ipa command breaks by setting "NSSVerifyClient require"
On 05/30/2017 06:29 PM, Fraser Tweedale wrote:
What you are missing: the client tools do not support certificate
authentication (yet).
Well yes, but it's not clear that the OP needs/wants to support the
client tools via the Internet. My impression was that they only needed
to support the web UI externally.
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
12:37 a.m.
New subject: ipa command breaks by setting "NSSVerifyClient require"
On 2017. gada 30. maijs, at 21:16, Ian Pilcher via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote:
> On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote:
>> I am not saying “instead of”. We are using standard authetication provided by
FreeIPA, but I want to protect Web UI interface from unwanted attention as it is,
unfortunately, exposed to entire internet. I’d be much happier if Apache could reject (or
redirect) any client which is not presenting required certificate even before any
authentication attempt is started.
>> That is not to say that the whole server is exposed, but 443 port is.
>>
> Thanks for explaining.
Maybe I'm missing something in this thread, but couldn't the OP simply
put a reverse proxy in front of the Internet-exposed port?
That’s a clever hint that I will explore. Thanks!
Ivars
2520
days inactive
2524
days old
freeipa-users@lists.fedorahosted.org
8 comments
4 participants
participants (4)
-
Alexander Bokovoy -
Fraser Tweedale -
Ian Pilcher -
Ivars Strazdiņš