Pydio and Client Certificates


#1

Hello,

I have been using pydio for years now and find it a great tool, I have now started to step up security on my web servers. I am running Pydio 8.02 on linux/apache/mysql.

I have added the requirements for client certificates to access my web sites. This works for all my other web applications hosted on this server however Pydio login page will not show up when I enable the client cert requirement in apache for the pydio site. I get the popup in Firefox asking if I want to use the client certificate for this site, to which I click yes, then I just get a white web page. Any ideas where I should look?

Also the Pydio Windows Sync client does not seem to have a facility to accommodate Client Certificates.

Thanks for any help you can give.


#2

Hi,
so basically you enabled SSL and are using it with apache, it should be working if you enabled everything on apache and set it to use the secure port on your vh file.


#3

Hi Zayn,
SSL (TLS 1.2) has always been configured. I have now introduced Client Certificates. So only Clients with the required certificates are able to communicate with Apache over TLS.

See:
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#allclients


#4

HI,
the issue then should be on apache side as long as you have the rights to Pydio you should be able to access, if you have your rewrite mod enabled or if you’re using a .htaccess file however when you disable the client certificates does it work back again ?


#5

Hi Zayn,

Initially I had the web server setup at the top level with the Client Cert requirement. Out of the 8 php apps only Pydio stopped working correctly.

I have now configured per directory ‘location’ options for each site individually. Still Pydio stops working or its still working but the UI in the web does not work. If I remove the client cert ‘required’ then Pydio UI works again.

Im wondering if Pydio some how talks back through Apache lwa and since it has no client cert loaded its self it fails?


#6

After messing around and trying various things its started working correctly. mmmmm. Im none the wiser. Ill put back yesterdays HTTP configuration and see what changed.


#7

Of coarse Pydio Sync client still does not work because there is nowhere of telling it to use a client certificate that I can see?


#8

Ha, ok I added the local server which fixed the issue for the Web UI.

<Location "/pydio/">
  SSLVerifyClient require
  allow from 127.0.0.1
</Location>