Client side certificate authentication

How to Use GitLab Self-managed
1

How can I implement client-side certificate authentication in the web interface?

I’m trying to implement client-side certificates for authentication. I’m running a Fedora 39 FreeIPA 4.11.1 for identity management, GitLab 16.9 and my /etc/gitlab/gitlab.rb file looks like this:

nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
nginx['ssl_verify_client'] = "on"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"

the /etc/gitlab/ssl/ca.crt is the CA for my FreeIPA.

My user certificates look like this:

root@idm1:~/testuser# openssl x509 -in testuser.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 23 (0x17)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = EXAMPLE.ORG, CN = Certificate Authority
        Validity
            Not Before: Mar  9 07:53:42 2024 GMT
            Not After : Mar 10 06:53:42 2026 GMT
        Subject: O = EXAMPLE.ORG, CN = testuser
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:ec:6f:67:7d:bf:24:7f:52:f1:a3:81:e7:e9:
                    ...
                    59:97
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                2B:...:3B
            Authority Information Access:
                OCSP - URI:http://ipa-ca.example.org/ca/ocsp
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://ipa-ca.example.org/ipa/crl/MasterCRL.bin                CRL Issuer:
                  DirName:O = ipaca, CN = Certificate Authority
            X509v3 Subject Key Identifier:
                A5:...:B5
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        8a:e5:e1:11:88:e3:65:d6:49:e1:ed:4a:38:36:d2:eb:df:71:
        ...
        d8:04:fd:fb:ec:ea
-----BEGIN CERTIFICATE-----
MIIEhjCCAu6gAwIBAgIBFzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtDWkFD
...
3WDl49gE/fvs6g==
-----END CERTIFICATE-----

I have client certificates able to log into cockpit (Fedora systems) so I know it’s not FreeIPA, or the certificates that were issued. I know I’m using the right ssl_client_certificate cert according to the documentation, it should be the CA … right? If I turn off the client-certificate features, I am able to log in using my LDAP credentials without issue.

Any ideas? Anyone able to get client side certs working especially with FreeIPA?

Thanks for the help!

Steps to reproduce

Which troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?

Enable 2-way SSL client authenticationn

Configuration

Provide screenshots from the GitLab UI showing relevant configuration, if applicable.
On self-managed instances, add the relevant configuration settings or changes.

Versions

Please select whether options apply, and add the version information.

Versions

  • GitLab 16.9

Helpful resources

  1. Before opening a new topic, make sure to search for keywords in the forum search
  2. Check the GitLab project for existing issues. If you encounter a bug, please create a bug report issue.
  3. Troubleshooting docs: Self-managed GitLab instances.

Thanks for taking the time to be thorough in your request, it really helps! :blush: