[Question] Client Authentication Configuration Is Always Failing

[Spomky]

Hi,

I am trying to enable client authentication by editing docker/caddy/Caddyfile.
I have followed the examples provided on the tls documentation, but I have not been successful so far (I am not familiar with Caddy).

At first sight, I put the config as follows:

tls {
    client_auth {
        mode verify_if_given
        trusted_ca_cert_file /etc/caddy/certs/user-mgmt.crt
        trusted_ca_cert_file /etc/caddy/certs/root.crt
    }
}

But when trying to run the server, the following exception is thrown:

{"level":"info","ts":1675060797.858568,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
Error: adapting config using caddyfile: /etc/caddy/Caddyfile:7: unrecognized directive: client_auth
{"level":"info","ts":1675060822.0985522,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
Error: adapting config using caddyfile: server listening on [:80] is HTTP, but attempts to configure TLS connection policies

❓ Question: Do you have any idea on how to enable the client authentication feature?

root.crt

-----BEGIN CERTIFICATE----- MIIBzjCCAYCgAwIBAgIIB6Z9vu7ZtjowBQYDK2VwMFMxCzAJBgNVBAYTAkZSMQ8w DQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtTcG9ta3kt TGFiczENMAsGA1UEAxMEcm9vdDAeFw0yMzAxMjkxOTA4MDBaFw0zMzAxMjkxOTA4 MDBaMFMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh cmlzMRQwEgYDVQQKEwtTcG9ta3ktTGFiczENMAsGA1UEAxMEcm9vdDAqMAUGAytl cAMhABYT5mCluTKeumeYvsj+0jnmDVythbMoFp50CLW6FAJso3IwcDAPBgNVHRMB Af8EBTADAQH/MB0GA1UdDgQWBBQRb9CbyIhEBeSCFn7GDFtfvkNcKDALBgNVHQ8E BAMCAQYwEQYJYIZIAYb4QgEBBAQDAgAHMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2Vy dGlmaWNhdGUwBQYDK2VwA0EAVrfpY6fB/gN2A9QEHsrCZEA6WYTiWs8fXVFlOXNb kNLu+54hqwsQH7Ll66nq+ZJcIhfgrKvCZQrPyC9Fd2unAw== -----END CERTIFICATE-----

user-mgmt.crt

-----BEGIN CERTIFICATE----- MIIB0zCCAYWgAwIBAgIIAU3Z0YRLc24wBQYDK2VwMFMxCzAJBgNVBAYTAkZSMQ8w DQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRQwEgYDVQQKEwtTcG9ta3kt TGFiczENMAsGA1UEAxMEcm9vdDAeFw0yMzAxMjkxOTEwMDBaFw0zMzAxMjkxOTA4 MDBaMFgxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh cmlzMRQwEgYDVQQKEwtTcG9ta3ktTGFiczESMBAGA1UEAxMJdXNlci1tZ210MCow BQYDK2VwAyEA0zBeWJi8dZEfKpTlP74UwFwFsQli6x7pwQ4rAY1Dw5GjcjBwMA8G A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM1JomYRMfPJAbnDmLUHoOUdDboRMAsG A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hj YSBjZXJ0aWZpY2F0ZTAFBgMrZXADQQC4KJgdA18Fxph8Tlo+wAvYONXhMgT2TTvs XPACoh33FvduReFaYB7k1hiuVbCQFrW1PZpv3/5zdHgoApuEH+YA -----END CERTIFICATE-----

[EDIT]: by the way, when I will succeed in configuring the client authentication, I will take the opportunity to add the example for Caddy at https://symfony.com/doc/current/security.html#x-509-client-certificates

[Spomky]

In the end, I managed to get Caddy working fine.
I share the configuration here below for everyone who could be stucked on this.

{
    # Debug
    {$CADDY_DEBUG}
}

{$SERVER_NAME} {
    {$CADDY_EXTRA_CONFIG}

    tls {
        client_auth {
            mode verify_if_given
            trusted_ca_cert_file /etc/caddy/certs/ca.pem
        }
    }

    log

    route {
        root * /srv/app/public
        mercure {
            # Transport to use (default to Bolt)
            transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
            # Publisher JWT key
            publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
            # Subscriber JWT key
            subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
            # Allow anonymous subscribers (double-check that it's what you want)
            anonymous
            # Enable the subscription API (double-check that it's what you want)
            subscriptions
            # Extra directives
            {$MERCURE_EXTRA_DIRECTIVES}
        }
        vulcain
        php_fastcgi unix//var/run/php/php-fpm.sock {
            env SSL_CLIENT_S_FINGERPRINT {http.request.tls.client.fingerprint}
            env SSL_CLIENT_S_CERTIFICATE {http.request.tls.client.certificate_der_base64}
            env SSL_CLIENT_S_ISSUER {http.request.tls.client.issuer}
            env SSL_CLIENT_S_SERIAL {http.request.tls.client.serial}
            env SSL_CLIENT_S_DN {http.request.tls.client.subject}
        }
        encode zstd gzip
        file_server
    }
}

The main point is to pass the result of the client authentication verification to PHP-FPM via env vars.
The placeholders are the ones listed in the doc at https://caddyserver.com/docs/json/apps/http/#docs

To be noted that it does not work on Symfony < 6.2 because the email address is not part of the subject string.
With Symfony 6.3 and symfony/symfony#48200, it works as expected using common name CN instead of emailAddress