Hello,
I'm using modwsgi in a dockerized Django application. Based on the environment I work in, I am requiring a client certificate to authenticate to the web server.
I use the 'python manage.py runmodwsgi --setup-only' command with some variables. HTTP works just fine, but I have to manually tweak the HTTPS directives for the site to work properly. Hopefully someone can point me in the right direction.
The script I use to generate the httpd.conf file is as follows:
python3 manage.py runmodwsgi --setup-only \
--port=8000 \
--reload-on-changes \
--user apache \
--group apache \
--https-port=8443 \
--ssl-certificate-file=/etc/pki/tls/certs/localhost.crt \
--ssl-certificate-key-file=/etc/pki/tls/private/localhost.key \
--ssl-ca-certificate-file=/etc/pki/tls/certs/ca-bundle.crt
As mentioned, this works just fine for HTTP. But I get a 'Forbidden' when I use SSL, with a post-handshake error:
[Thu May 13 21:17:47.362027 2021] [ssl:error] [pid 42909:tid 139855358154496] [client 172.18.0.1:55846] AH10158: cannot perform post-handshake authentication
This is curious, as I don't have client auth configured yet from the script. However, when I look at the generated httpd.conf file, at the end I see this:
<IfDefine MOD_WSGI_VERIFY_CLIENT>
<Location '/'>
SSLVerifyClient require
SSLVerifyDepth 10
</Location>
</IfDefine>
If I comment these lines out, it works without issue to the virtual server on port 8443. I don't understand why those lines are at the end of the file. However, just removing these will not work, as I *do* need to require client cert auth.
Inside the client verify part of the '<VirtualHost *:8443>' configuration is this:
<IfDefine MOD_WSGI_VERIFY_CLIENT>
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLVerifyClient none
</IfDefine>
If I change that to the following:
<IfDefine MOD_WSGI_VERIFY_CLIENT>
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLVerifyClient require
</IfDefine>
Then everything works as I need. Messing around with the --ssl-verify-client parameter in the runmodwsgi command did not help, but it's possible I wasn't specifying right. I also need that 'SSLVerifyDepth' set properly due to the type of client certificates that are being used.
Thanks you for any assistance you can provide. Sorry if the answer is in the docs... I did not see it.
thanks,
Matt