Nginx client certificate multiple CAs

[arichtman]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

I would like to allow multiple different administrators/organizations to be able to provision access to web applications.
Client certificates are in use, and nginx supports multiple client certificate CAs.

Describe the solution you'd like
A clear and concise description of what you want to happen.
(e.g. I would like an input field in the /ui/firewall/alias which would add .... to ....)

The GUI certificate selection box is now a multi-picker with checkboxes.
Selected certificates are concatenated into the nginx client CA file.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Adding per-administrative domains and pointing them all at the same backend.

Additional context
Add any other context or screenshots about the feature request here.

nginx configuration reference

[arichtman]

It looks like the GUI can be adjusted in mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml, and the config template is at service/templates/OPNsense/Nginx/{streams,http}.conf. I'm not sure where the logic to create a concatenated CA file would live or how to it would receive the selected certificate authorities from the GUI.

[kulikov-a]

Hi
can yout test with
opnsense-patch -c plugins -a kulikov-a d9e689ec5138411481fb67770418222c6ecfd359
please?
I don't have much time for deep testing, sorry - please check for one CA and for multi-CA choice (so nothing breaks on current setups)

[arichtman]

Thanks so much! The patch command was applied and it looks to be working. I tested creating a self-signed authority in the GUI with a matching client certificate and adding it to a HTTP server in Nginx config. I also checked an existing server without the authority added and it did not allow the new client certificate.

So - all good!

PS: thanks for the patch command, made this much easier

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.