3

Is it possible, to force apache to ask for password only if user don't have client-certificate installed?

I'm almost sure, that this is possible, but I'm not able to find any confirmation anywhere.

Is it possible to configure apache to act like this:

If user will have client-certificate - apache will allow connection to webpage without any problem or question. If user-certificate on the client-side will not be available, it will ask for basic auth authentication - so it will ask for password?

How to configure it? I'm fighting this since morning without any solution even to just stick to it.

Improve this question
6
  • You did read the manual and especially the SSLOptions +FakeBasicAuth section? Commented Feb 24, 2014 at 12:43
  • Sure I did ;) But not sure I really understand it. Here is something i 've tried: [link]httpd.apache.org/docs/trunk/ssl/ssl_howto.html#certauthenticate But it's not working as i want. 1. It asks for certificate. If no certificate - no access is granted. If I give certificate - access is granted and Basic Auth is triggered asking for login and password. But it's not accepting password i created in file with htpasswd, instead it tries to validate user created from certificate data. I've tried to create such user manuall, but it's not working either. So I'm stuck ;) Commented Feb 24, 2014 at 15:24
  • once Again - what i need is: if certificate provided - access granted. if certificate absent - ask for password, and if validated - grant access. Right now, it asks for password after certificate validation. Tried with SSLRequire optional Commented Feb 24, 2014 at 15:28
  • OK. So It works like this right now. If no certificate - it's ok. Ask for password, and if typed correctly allows to access site. If certificate will be provided auth should not appear - but it appears. In error.log i've got password mismatch for user: /C=Something/ST=Something/L=Something/O=Something/OU=Something/CN=backup-something.com - and CN is my server's name also. I think apache config is ok - but i need to prepare passfile with htpasswd some special way, or create certificate with some special way. But how? ;) Commented Feb 24, 2014 at 15:39
  • OK. SOLVED! :P What was needed was to change password in passfile to: xxj31ZMTZzkVA witch is "password" (read from apache man) - works great! Commented Feb 24, 2014 at 15:49

1 Answer 1

Reset to default
1

Here is a script to get the entries for the password file from the certificates: (see also https://serverfault.com/posts/747107)

In the .fakehttpsauth you need to put entries like:

/C=US/ST=CA/O=Doe Inc/CN=John Doe/[email protected]:xxj31ZMTZzkVA

Here is a script to create such entries from your certificates:

#!/bin/bash # export the certificates in fake auth format # see https://serverfault.com/questions/533639/apache-authentication-with-ssl-certificate-and-sslusername # WF 2016-01-06 fakepass=`openssl passwd -crypt -salt xx password` for c in *.crt do openssl x509 -in $c -text | grep Subject: | gawk -v fakepass=$fakepass ' BEGIN { FS="," } { gsub("Subject: ","",$0) for (i=1;i<=NF;i++) { f=trim($i) printf("/%s",f); } printf(":%s\n",fakepass); } # see https://gist.github.com/andrewrcollins/1592991 function ltrim(s) { sub(/^[ \t\r\n]+/, "", s); return s } function rtrim(s) { sub(/[ \t\r\n]+$/, "", s); return s } function trim(s) { return rtrim(ltrim(s)); } ' done
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.