How do I require client certificates with a specific username / password in Apache?
The error 500 is due to wrongSSLUserName
syntax — it should be written without %{...}
:
SSLUserName SSL_CLIENT_S_DN_CN
But actually if you want to require basic auth and certificate name to match, you should remove SSLUserName
(so that mod_ssl
would not touch REMOTE_USER
) and use:
SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_USER}
Another option which might work better when used in the config file directly (not in .htaccess
):
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} !=%{LA-U:REMOTE_USER}
RewriteRule ^ - [F]
Related videos on Youtube
Andrzej B.
Updated on September 18, 2022Comments
-
Andrzej B. over 1 year
I have several clients certificates that my Apache httpd server requires clients to have (made using the instructions at http://www.garex.net/apache/). I would like to have an authentication that also authenticates and allows only a client certificate to match a username/password combination.
For example, if I have two client certificates with CN
user1
anduser2
and .htpasswd fileuser1:passwordA user2:passwordB
I would like something like
SSLUserName %{SSL_CLIENT_S_DN_CN} AuthName "Please enter your username and password" AuthType Basic AuthUserFile /path/.htpasswd require valid-user
However, trying this results in 500 errors. What can I do?
-
Admin about 9 yearshi @cm007 did you manage to find a solution to this?
-
-
Andrzej B. over 12 yearsI have <VirtualHost default:443> <Location /> AuthName "Please enter your username and password" AuthType Basic AuthUserFile /path/.htpasswd require valid-user SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_USER} </Location> </VirtualHost> but this gives a 403 error, and the authentication dialog never appears to the client. If I move the four lines about auth outside of the Location tag, then Apache says AuthName not allowed here.
-
Sergey Vlasov over 12 yearsIs
SSLVerifyClient require
also specified? You may also try a mod_rewrite variant added to the answer.