Error accessing the Admin GUI using TLS_SETUP_ENABLED=later behind proxy

[ekrekeler]

This is a new deployment. Following the instructions and using the latest keyfactor/ejbca-ce docker image, I get an error accessing the Admin GUI behind a proxy.

I have traefik2 as a reverse proxy which is acting as an HTTP proxy and decrypting HTTPS requests towards my domain. I have configured it to proxy the requests to pki.domainname towards the HTTPS endpoint on the ejbca container (TCP 8443). The reason I am configuring it this way is I already have oauth configured on traefik and I would like to keep using this to authenticate users to ejbca. Traefik does not support sending client certificates to services on decrypted connections, nor do I care to implement authentication with client certificate unless I have to. To that end, I have the environment variable TLS_SETUP_ENABLED set to later as stated in the container documentation.

I managed to get the reverse proxy working and I can hit the Admin GUI page, but I am presented with an error on the page.

Expected Behavior:
Requests to the Admin GUI through traefik proxy should be allowed and no further authentication needed.

Actual Behavior:
The following message is presented in the browser for the requests to Admin GUI:

Authorization Denied
No client certificate was presented
If you did not get prompted to select a client certificate, please check that you have the correct certificate.

Subsequently, I see this in the ejbca container's logs, each time the browser makes a new connection through the proxy for the request to the Admin GUI:

2023-07-05 00:23:44,365+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Enabling HTTPS listener on 0.0.0.0:8443 with optional client certificate authentication.
2023-07-05 00:23:51,744+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Enabling HTTP listener on 0.0.0.0:8080.
2023-07-05 00:23:55,412+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Enabling HSTS
[ ## skipping irrelevant logs ## ]
2023-07-05 00:24:24,897+0000 ERROR [org.ejbca.ui.web.admin.configuration.EjbcaJSFHelperImpl] (default task-2) Failed to initialize EjbcaWebBean: org.cesecore.authentication.AuthenticationNotProvidedException: Client certificate or OAuth bearer token required.

Let me know if the full stacktrace is needed, it's pretty lengthy.

Here is the docker compose file I am using:

version: "3.7"
services:

# PrimeKey EJBCA - Enterprise Grade PKI management system
  ejbca:
    container_name: ejbca
    image: keyfactor/ejbca-ce
    restart: unless-stopped
    hostname: $DOMAINNAME
#    domainname: pki.$DOMAINNAME
    networks:
      - proxy_net
      - db_net
    security_opt:
      - no-new-privileges:true
#    ports:
#      - 8080:8080
#      - 8443:8443
#      - 8009:8009
    volumes:
      - $DATADIR/ejbca:/mnt/persistent
    environment:
      - TLS_SETUP_ENABLED=later
      - DATABASE_JDBC_URL=jdbc:mariadb://mariadb:3306/$EJBCA_DB?characterEncoding=UTF-8
      - DATABASE_USER=$EJBCA_DB_USER
      - DATABASE_PASSWORD=$EJBCA_DB_PASS
      - EJBCA_CLI_DEFAULT_USERNAME=$EJBCA_USER
#      - EJBCA_CLI_DEFAULT_PASSWORD=$EJBCA_PASS
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.docker.network=proxy_net"
      ## HTTP Routers
      - "traefik.http.routers.ejbca.entrypoints=https"
      - "traefik.http.routers.ejbca.rule=HostHeader(`pki.$DOMAINNAME`)"
      - "traefik.http.routers.ejbca.tls=true"
      ## Middlewares
#      - "traefik.http.routers.ejbca.middlewares=chain-no-auth@file" # No Authentication
      - "traefik.http.routers.ejbca.middlewares=$AUTH_MIDDLEWARE"
      ## HTTP Services
      - "traefik.http.routers.ejbca.service=ejbca"
      - "traefik.http.services.ejbca.loadbalancer.server.port=8443"
      - "traefik.http.services.ejbca.loadbalancer.server.scheme=https"
      - "traefik.http.services.ejbca.loadbalancer.serverstransport=insecure@file"


networks:
  proxy_net:
    external: true
  db_net:
    external: true

I've set this up and torn it down multiple times, even reinitializing the database and persistent directory with no luck. I've also tried setting TLS_SETUP_ENABLED to simple and false with the same result and error seen in the logs.

For this to work, I suspect I may need to override the configuration for the web.reqcert property as stated in the documentation here, however this is very unintuitive for users of the docker image (me) and even the documentation for the container image states:

Changing these directly might affect container startup behavior which is leveraging the same mechanism and might break when you update the container. Make sure you know what you do before you override these.

If this is the case, why mention the TLS_SETUP_ENABLED option but leave out instructions to get it working? Sorry for the rant and I could really use some help here.

[primetomas]

This should have been a discussion. TLS_SETUP options have more verbose documentation since a little while back. Writing what simple, true, and later does. Let us know if that helps.

[primetomas]

Sorry for the late reply, it was in the middle of vacation period and fell off in the noise.

[Root41D1]

Authorization Denied
No client certificate was presented
If you did not get prompted to select a client certificate, please check that you have the correct certificate.How about the environment

i've same issue on selecting alogrithm RSA2048 but still didn't work properly.

can u give a direction to the TLS_SETUP config on local machine/linux?

[primetomas]

If you are not using the container, that this issue is about. Please open another discussion.

[ekrekeler]

@primetomas, Thanks for the update.

I made this an issue because I think this is more unexpected behavior by ejbca in the container images than a misunderstanding of the documentation.

Referencing the container documentation again, it clearly states that setting TLS_SETUP_ENABLED to later "allows anyone access over TLS to begin using EJBCA" and setting to false "will grant full access to anyone that is able to connect". I have tried setting to both of these options on a fresh deployment behind a reverse proxy serving a TLS endpoint. However I am getting the behavior described above and cannot access the Admin UI.

Note: After rereading the most recent documentation for the container image, I added the environment variable PROXY_HTTP_BIND=0.0.0.0 and am proxying to port 8081 on the ejbca container, with the same result.

[ekrekeler]

I got around to testing this today. I spun up an httpd frontend instance as described in the example. I had TLS_SETUP_ENABLED set to later. Here are my findings browsing to the admin GUI:

• http://ejbcatest:8080/ejbca/adminweb/ : Connecting through httpd frontend, plain HTTP, result: HTTP 302 redirect to HTTPS
• https://ejbcatest:8443/ejbca/adminweb/ : Connecting through httpd frontend, HTTPS no client certificate, result: able to browse admin GUI and add/edit configuration as expected
• http://ejbcatest:8081/ejbca/adminweb/ : Connecting directly to ejbca container on port 8081, plain HTTP, result: able to browse admin GUI, however seems to be limited to read-only operations; clicking to add or edit anything results in HTTP 200/OK, "Session has timed out". No errors seen in ejbca container log.
• https://pki.domainname/ejbca/adminweb/ : Connecting to traefik2 terminating HTTPS and proxying to ejbca on port 8081, result: HTTP 200/OK "Authorization Denied No client certificate was presented"

I understand httpd redirecting plain HTTP to HTTPS, but for the other scenarios I expect ejbca to let me configure things in the admin GUI. Let me know if I should test anything else.

[primetomas]

"Connecting through httpd frontend, HTTPS no client certificate, result: able to browse admin GUI and add/edit configuration as expected". Isn't this the wanted/expected result?
This is the result that I would expect.

[ekrekeler]

I've since moved on to other PKI software as a solution. For closure on this discussion, I was trying to get the last scenario described with traefik proxying to port 8081 working. If I deploy apache webserver container alongside ejbca, then yes I can point traefik to port 8443 of the apache container and it will work as intended. My reason for opening the issue/discussion was that it feels redundant to run an apache server just to proxy requests to ejbca when I already have a reverse proxy provided by traefik.

[primetomas]

I never really understood the question, hence my question on Oct 16, 2023(?). I think an AJP proxy is what would be expected.
https://community.traefik.io/t/trying-to-understand-how-to-create-ingress-for-ajp-connection-to-tomcat/17905

[primetomas]

PS: Since then there are full fledged helm charts available. https://github.com/Keyfactor/ejbca-community-helm

[jpplink]

There is documentation about setting with nginx proxy manager or caddy for example? Cant find

[primetomas]

Here's some tutorials about using the Helm chart, which includes this.
https://docs.keyfactor.com/ejbca/latest/tutorial-deploy-ejbca-using-a-helm-chart
https://docs.keyfactor.com/ejbca/latest/high-availability-multi-region-deployment-of-ejbca
https://docs.keyfactor.com/ejbca/latest/tutorial-clean-up-microk8s-cluster-and-redeploy
https://docs.keyfactor.com/ejbca/latest/ejbca-helm-chart-building-blocks
https://docs.keyfactor.com/ejbca/latest/tutorial-deploy-istio-and-cert-manager-with-helm

[rafall92]

I also have a lot of problem with set up ejbca behind reverse proxy, but i found solution. This is my settings. Maybe it will be helpfull for someone in future

ejbc docker compose:

networks:
  access-bridge:
    driver: bridge
  application-bridge:
    driver: bridge
  proxy-net:
    external: true

services:
  ejbca-database:
    container_name: ejbca-database
    image: "library/mariadb:latest"
    networks:
      - application-bridge
      - proxy-net
    environment:
      - MYSQL_ROOT_PASSWORD=foo123
      - MYSQL_DATABASE=ejbca
      - MYSQL_USER=ejbca
      - MYSQL_PASSWORD=ejbca
    volumes:
      - ./datadbdir:/var/lib/mysql:rw
  ejbca-node1:
    hostname: 10.50.97.146
    container_name: ejbca
    image: keyfactor/ejbca-ce:latest
    depends_on:
      - ejbca-database
    networks:
      - access-bridge
      - application-bridge
	  - proxy-net
    environment:
      - DATABASE_JDBC_URL=jdbc:mariadb://ejbca-database:3306/ejbca?characterEncoding=UTF-8
      - LOG_LEVEL_APP=INFO
      - LOG_LEVEL_SERVER=INFO
      - TLS_SETUP_ENABLED=later
      - PROXY_HTTP_BIND=0.0.0.0
    ports:
      - "8080:8080"
      - "8443:8443"

reverse-poxy docker-compose

services:

  proxy:
    image: nginx:alpine
    container_name: reverse-proxy
    restart: unless-stopped
    volumes:
      - "./proxy-conf:/etc/nginx/conf.d"
      - "./ssl:/etc/nginx/ssl"
    networks:
      - proxy-net
    ports:
      - 443:443
      - 80:80

networks:
  proxy-net:
    external: true

reverse-proxy - default.conf

server {
    listen 80;
    #server_name mydomain_or_myip;
    ssl_verify_client optional_no_ca;
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    #server_name mydomain_or_myip;
    ssl_certificate     /etc/nginx/ssl/chain.cer;
    ssl_certificate_key /etc/nginx/ssl/ssl-certificate.key;
    #ssl_client_certificate /etc/nginx/ManagementCA.crt;
    ssl_verify_client optional_no_ca;
    location / {
        proxy_pass                              http://ejbca:8082/;
        proxy_set_header Host                   $http_host;
        proxy_set_header X-Real-IP              $remote_addr;
        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto      $scheme;
        proxy_set_header SSL_CLIENT_CERT        $ssl_client_cert;
    }
}