I'm trying to add client certificate authentication to achieve "synthetic mTLS" since current infrastructure is Internet -> IIS -> nginx -> app (Docker). The API is protected by JWT as well. I've uploaded a repro to GitHub
Kestrel
Running Kestrel on Windows works just fine and the browser prompts for those client certificates that are installed. Selecting any that is signed by a certificate that is trusted grant access.
Docker
However, on Docker (without nginx), I get the issue with PartialChain: unable to get local issuer certificate. I'm adding the certificate as
ADD root.crt /usr/local/share/ca-certificates/root.crt
RUN update-ca-certificates
NOTE: At my company we use Alpine based image and there is a warning regarding cert. I'll deal with this next after getting standard up and running. See issue.
nginx
nginx is configured for client certificate
server {
...
ssl_verify_client optional_no_ca;
ssl_client_certificate /etc/nginx/client_certs/root.crt;
...
}
In this case the logs don't give me anything
dbug: Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[9]
AuthenticationScheme: Certificate was not authenticated.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed.
Shouldn't nginx stop access if trying to send client certificate not issued by the one specified in nginx?
Could someone help me shed some light how to get this to work?
Thanks
