Added helpful pki config errors if dedected, updated apache examples

2025-05-18 02:09:39 +02:00 · 2015-05-11 12:30:25 +03:00 · 2015-05-11 12:30:25 +03:00 · 6787832bde
commit 6787832bde
parent 36373d12e3
5 changed files with 18 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,7 @@

 * Registrar: only dev can skip pki login certificate, 
  please be sure all application.yml and apache conf is correctly setup for pki
+* Updated Registrar Apache example: added user name directive example config

 24.04.2015

--- a/README.md
+++ b/README.md
@ -179,6 +179,12 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
  <Location ~ "/(registrar|assets)\/.+">
    Allow from all
  </Location>
+
+  RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+  <Location /registrar/sessions>
+    SSLVerifyClient require
+    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+  </Location>
 </VirtualHost>
 ```

--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@ -16,6 +16,14 @@ class Registrar::SessionsController < ::SessionsController
      )
    )

+    if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'].blank?
+      @depp_user.errors.add(:base, :webserver_missing_user_name_directive)
+    end
+
+    if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'] == '(null)'
+      @depp_user.errors.add(:base, :webserver_user_name_directive_should_be_required)
+    end
+
    if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'] != params[:depp_user][:tag]
      @depp_user.errors.add(:base, :invalid_cert)
    end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -529,6 +529,8 @@ en:
              authorization_error: 'Authorization error'
              invalid_cert: 'Invalid certificate'
              not_active: 'User is not active'
+              webserver_missing_user_name_directive: 'Webserver configuration error: Apache or nginx is missing user name directive.'
+              webserver_user_name_directive_should_be_required: 'Webserver configuration error: Apache or nginx should require name directive.'
            tag:
              blank: "Username can't be blank"
            password:
--- a/doc/certificates.md
+++ b/doc/certificates.md
@ -151,7 +151,7 @@ Add these lines:

    RequestHeader set SSL_CLIENT_S_DN_CN ""

-    <Location /sessions/pki>
+    <Location /sessions>
      SSLVerifyClient require
      RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
    </Location>