Client Certificate 2-factor auth problem with loopback in site-health.php

(@peterenglmaier)

Hello

I secured access to the login page of one of my sites with a client certificate using this apache2 configuration:

  <Location /wp-login.php>
    SSLOptions +StdEnvVars
    SSLVerifyClient require
  </Location>

I can access the login page and login using the client certificate. Great!

But, when I check the website status page (site-health.php), I get this critical warning:

Deine Website konnte eine Loopback-Anfrage nicht abschließen 

Fehler: cURL error 56: NSS: client certificate not found (nickname not specified) (http_request_failed)

I tried to figure out what is going on using the Firefox developer tools, but I do not see where the failed request comes from. I suspect it is internal only. In the webserver logs I see three requests which come in through the internal (ipv6) ip address of the server. Maybe this causes the cURL error:

[01/Jan/2021:15:59:35 +0100] "GET /wp-json/wp/v2/types/post?context=edit HTTP/1.1" 200 871 "https://www.sternwarten.ch/wp-json/wp/v2/types/post?context=edit" "WordPress/5.6; https://www.sternwarten.ch"
[01/Jan/2021:15:59:38 +0100] "GET /wp-admin/ HTTP/1.1" 302 - "https://www.sternwarten.ch/wp-admin/" "WordPress/5.6; https://www.sternwarten.ch"
[01/Jan/2021:15:59:38 +0100] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.sternwarten.ch%2Fwp-admin%2F&reauth=1 HTTP/1.1" 403 214 "https://www.sternwarten.ch/wp-login.php?redirect_to=https%3A%2F%2Fwww.sternwarten.ch%2Fwp-admin%2F&reauth=1" "WordPress/5.6; https://www.sternwarten.ch"

The last one apparently gets 403 because it does not provide the client certificate. This makes sense, but how can I configure apache2 to not request client certificate when the originator is the webserver itself? Or is this a bug of wordpress?

Best,
Peter

This topic was modified 3 years, 3 months ago by Jan Dembowski. Reason: Formatting

The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)

Moderator Samuel Wood (Otto)
(@otto42)

WordPress.org Admin

3 years, 3 months ago

Well, you have the correct reason for the failure, the client certificate is not presented by the health check, so the request fails. There’s likely no easy fix, and you can just ignore the health check error here.

However, by setting up a secondary requirement to access the wp-login, you will break its functionality for any client lacking that certificate. The wp-login.php is used for more than just logging in and accessing wp-admin. It can be used by normal viewers too. The per-post-password functionality works through wp-login. So, make sure you never try and use that.

Also, the plugin and theme editors won’t work anymore, because they do loopback checks after making changes, to ensure that the changes didn’t break the site. So, those loopback checks will fail, causing the editors to revert any changes you make. You can disable these code editors through, without any real consequence other than them just not being available.

I don’t think such a block on wp-login will break calls to /wp-admin/admin-ajax.php as those can be unauthenticated for some cases where they’re used. If the call needs authentication, then you’d still need to go through wp=login for it, but in such a case you’d be using the client to do that and so wouldn’t have much trouble there.

Viewing 1 replies (of 1 total)

The topic ‘Client Certificate 2-factor auth problem with loopback in site-health.php’ is closed to new replies.

Client Certificate 2-factor auth problem with loopback in site-health.php

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics