Skip to content

Error accessing the Admin GUI using TLS_SETUP_ENABLED=later behind proxy #313

New issue
New issue
Closed
Closed
Error accessing the Admin GUI using TLS_SETUP_ENABLED=later behind proxy#313
@ekrekeler

Description

@ekrekeler
ekrekeler
opened on Jul 5, 2023

This is a new deployment. Following the instructions and using the latest keyfactor/ejbca-ce docker image, I get an error accessing the Admin GUI behind a proxy.

I have traefik2 as a reverse proxy which is acting as an HTTP proxy and decrypting HTTPS requests towards my domain. I have configured it to proxy the requests to pki.domainname towards the HTTPS endpoint on the ejbca container (TCP 8443). The reason I am configuring it this way is I already have oauth configured on traefik and I would like to keep using this to authenticate users to ejbca. Traefik does not support sending client certificates to services on decrypted connections, nor do I care to implement authentication with client certificate unless I have to. To that end, I have the environment variable TLS_SETUP_ENABLED set to later as stated in the container documentation.

I managed to get the reverse proxy working and I can hit the Admin GUI page, but I am presented with an error on the page.

Expected Behavior:
Requests to the Admin GUI through traefik proxy should be allowed and no further authentication needed.

Actual Behavior:
The following message is presented in the browser for the requests to Admin GUI:

Authorization Denied
No client certificate was presented
If you did not get prompted to select a client certificate, please check that you have the correct certificate.

Subsequently, I see this in the ejbca container's logs, each time the browser makes a new connection through the proxy for the request to the Admin GUI:

2023-07-05 00:23:44,365+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Enabling HTTPS listener on 0.0.0.0:8443 with optional client certificate authentication.
2023-07-05 00:23:51,744+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Enabling HTTP listener on 0.0.0.0:8080.
2023-07-05 00:23:55,412+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Enabling HSTS
[ ## skipping irrelevant logs ## ]
2023-07-05 00:24:24,897+0000 ERROR [org.ejbca.ui.web.admin.configuration.EjbcaJSFHelperImpl] (default task-2) Failed to initialize EjbcaWebBean: org.cesecore.authentication.AuthenticationNotProvidedException: Client certificate or OAuth bearer token required.

Let me know if the full stacktrace is needed, it's pretty lengthy.

Here is the docker compose file I am using:

version: "3.7"
services:

# PrimeKey EJBCA - Enterprise Grade PKI management system
  ejbca:
    container_name: ejbca
    image: keyfactor/ejbca-ce
    restart: unless-stopped
    hostname: $DOMAINNAME
#    domainname: pki.$DOMAINNAME
    networks:
      - proxy_net
      - db_net
    security_opt:
      - no-new-privileges:true
#    ports:
#      - 8080:8080
#      - 8443:8443
#      - 8009:8009
    volumes:
      - $DATADIR/ejbca:/mnt/persistent
    environment:
      - TLS_SETUP_ENABLED=later
      - DATABASE_JDBC_URL=jdbc:mariadb://mariadb:3306/$EJBCA_DB?characterEncoding=UTF-8
      - DATABASE_USER=$EJBCA_DB_USER
      - DATABASE_PASSWORD=$EJBCA_DB_PASS
      - EJBCA_CLI_DEFAULT_USERNAME=$EJBCA_USER
#      - EJBCA_CLI_DEFAULT_PASSWORD=$EJBCA_PASS
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.docker.network=proxy_net"
      ## HTTP Routers
      - "traefik.http.routers.ejbca.entrypoints=https"
      - "traefik.http.routers.ejbca.rule=HostHeader(`pki.$DOMAINNAME`)"
      - "traefik.http.routers.ejbca.tls=true"
      ## Middlewares
#      - "traefik.http.routers.ejbca.middlewares=chain-no-auth@file" # No Authentication
      - "traefik.http.routers.ejbca.middlewares=$AUTH_MIDDLEWARE"
      ## HTTP Services
      - "traefik.http.routers.ejbca.service=ejbca"
      - "traefik.http.services.ejbca.loadbalancer.server.port=8443"
      - "traefik.http.services.ejbca.loadbalancer.server.scheme=https"
      - "traefik.http.services.ejbca.loadbalancer.serverstransport=insecure@file"


networks:
  proxy_net:
    external: true
  db_net:
    external: true

I've set this up and torn it down multiple times, even reinitializing the database and persistent directory with no luck. I've also tried setting TLS_SETUP_ENABLED to simple and false with the same result and error seen in the logs.

For this to work, I suspect I may need to override the configuration for the web.reqcert property as stated in the documentation here, however this is very unintuitive for users of the docker image (me) and even the documentation for the container image states:

Changing these directly might affect container startup behavior which is leveraging the same mechanism and might break when you update the container. Make sure you know what you do before you override these.

If this is the case, why mention the TLS_SETUP_ENABLED option but leave out instructions to get it working? Sorry for the rant and I could really use some help here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions