mTLS in browser (chrome, firefox,...) as client doesn't work!

Traefik Traefik v2
1

I am trying to use Chrome/Firefox as client, but fails in mTLS connection. The browser doesn't show the list of certificates to do the mutual Tls with traefik

Chrome browser shows:

This site can’t provide a secure connection

infraser.nolly.internal didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT

Firefox browser:

SSL_ERROR_BAD_CERT_ALERT

**mtls Configuration is RequireAndVerifyClientCert **

tls:
  certificates:
    - certFile: "infraser.nolly.internal.crt"
      keyFile: "infraser.nolly.internal.key"
  options:
    default:
      clientAuth:
        caFiles:
          - secrets/consumer1.crt
          - secrets/consumer2.crt
        clientAuthType: RequireAndVerifyClientCert

With curl works fine:

**$** curl -i --cert $CERT --key $KEY https:/infraser.nolly.internal/_service/v0/health
HTTP/2 200 
content-type: application/json
date: Fri, 03 Jul 2020 14:51:25 GMT
server: gunicorn/19.10.0
content-length: 16

{"status":"UP"}

someone has running mtls with Traefik and a web browser?

2

Works with curl so that means the config is all good.

Have you loaded the client certificates into the browser(s)/certificateStore?

3

Yes, I've loaded the certificate in to the browser (chrome and firefox) but the web browser doesn't show the certificates to do the mTLS, I suspect is the way in which Traefik require a client certificate, instead request the certificate in two steps as another proxies, Traefik do that in one step

See the imagen, nginx in the left, traefik in the right

2020-04-15
2020-04-151671×142 52.4 KB

6

I opened a feature request for this if anyone reading this can go like and comment on it then it might help it gain traction as one of the traefik devs mentioned on the feature request.