Require client certificates for https access?

Hi -

I like that there is a config option to require public-key authentication for SSH access, thus enforcing strong authentication. Thank you for that. I want to accomplish similar for the management https server by requiring client certificates (signed by my CA) in order to successfully connect to the management interface. I’ve succeeded in doing this by adding 3 lines to /etc/httpd/conf/ssl-global.conf, but I fear my changes won’t survive a core update. Is there a better way to do this? or at least a way that will likely survive a core update?


1 Like

I suspect the files in the /etc/httpd/conf/ directory are not ones likely to be modified by a Core Update but it can’t be guaranteed.

What you can do as a safety step is to add
to the
This will ensure that your changes are included in the backup done by IPFire before it runs the Core Update. Note that the leading / is removed from the definitions put into include.user

After a Core Update is run you can then either first check that everything still works as you want or you could just as standard download the backup file made by IPFire and then restore from it.


@dzenc This is a very cool approach you have thought. May I ask if you can post these three lines?

@bonnietwin Adolf, do you think a restore operation can be scripted, so that it happens automatically after a new version of IPFire is installed?

@dzenc , @bonnietwin :
I don’t think this solution is working in all cases.
What about corrections/enhancements included in a CU? They are deleted by the restore.

Therefore I think we should discuss a general modification for this. Either in the development list or as a feature request in Bugzilla, or both.

    SSLVerifyClient require
    SSLVerifyDepth 2
    SSLCACertificateFile /var/ipfire/ca/cacert.pem

I did this globally in /etc/httpd/conf/ssl-global.conf. Client certificates need to be signed by the cert file listed above. (You should be able to increase SSLVerifyDepth if you use intermediate certificates.)

1 Like

Thanks. I can do that.

@bonnietwin Never mind, documented here.

1 Like

To follow up for anyone trying to replicate this, I tested by upgrading from 168 to 170 (without adding anything to the backup config) and noticed that it re-installed a clean ssl-global.conf after the upgrade. Instead of backing it up and restoring it, I added a patch to rc.local, and force a reboot if it applies, like so: (not the most efficient, but it seems to work)

{ patch --forward -u /etc/httpd/conf/ssl-global.conf && reboot=1; } << ‘END’

if [ $reboot -eq 1 ]; then
echo reboot=$reboot

1 Like

Thanks. I filed it in bugzilla - 12942 – Feature Request: Implement option to require client certificates for management HTTPS access


There must be a WUI implementation for managing the certs.