no prompt for client certificates?

I have mTLS enabled for my domain, together with a WAF rule that blocks non-mTLS authenticated requests, and installed a cloudflare issued client certificate on my machine. however when i try to visit my site using chrome or firefox the window to select a certificate to present never opens, and i just get blocked. is there a configuration step for mTLS that i've missed?
29 Replies
Idle
IdleOP•3mo ago
nevermind...
crossbeau
crossbeau•7d ago
@Idle what did you end up doing?
Idle
IdleOP•7d ago
you having the same issue?
crossbeau
crossbeau•7d ago
yeah. I created a client cert. added to cert stores. and WAF just doesnt seem to notice my client cert really trustrating. Like I would think adding it to cert store and browser it would present on request nad move through
Idle
IdleOP•7d ago
it's a perspective / understanding problem the underlying assumption that the waf takes care of requesting the client certificate isn't entirely correct, because if your browser has previously visited the site without needing to present a certificate, it will just assume it will never have to present one long story short, clear your browser cache or use an incognito tab
crossbeau
crossbeau•7d ago
Interesting
fry69
fry69•7d ago
A while ago you could lock clients permanently lock out from your site with HPKP and long pinning periods and then being forced to change your certs. Thank goodness this madness has passed.
crossbeau
crossbeau•6d ago
i must be doing something wrong. I added the PFX to my cert store. Cleared Cache and ignitoed and am still hitting block page
Idle
IdleOP•6d ago
if you are not getting a prompt even in incognito then it either means you have mTLS configured incorrectly or your browser is being weird
crossbeau
crossbeau•6d ago
i just have the WAF rule in play
crossbeau
crossbeau•6d ago
No description
Idle
IdleOP•6d ago
did you actually enable mTLS for that host? having only a waf rule is not enough
Idle
IdleOP•6d ago
No description
crossbeau
crossbeau•6d ago
where in the heck is that burried >.<
Idle
IdleOP•6d ago
ssl/tls > client certificates
crossbeau
crossbeau•6d ago
No description
crossbeau
crossbeau•6d ago
OMG it coulda slapped me in face ....
Idle
IdleOP•6d ago
however, if you are simply trying to restrict access to your site, I would suggest going with zero trust/access makes it a lot more convenient to manage and overview who has access and what actions are taken to your site
crossbeau
crossbeau•6d ago
sooo, the funny thing is... this IS for ZT
Idle
IdleOP•6d ago
then I'd dare say you would be better off using cf ZT
crossbeau
crossbeau•6d ago
we have OFAC type rules in our WAF and it ends up blocking our contractors trying to access our ZT Tunnel hosted sites my logic was I want to do a cert check, then bypass whole WAF vs. baby sitting a Zone trust rule with IPs
Idle
IdleOP•6d ago
that's not what zt is about
crossbeau
crossbeau•6d ago
im aware
Idle
IdleOP•6d ago
that's... interesting
crossbeau
crossbeau•6d ago
but I am saying my regional waf rules are blocking access to ZT trying to find a nice scalable way to bypass WAF for specific users without baby sitting non static ips so my brain thought a cert check on waf
Idle
IdleOP•6d ago
tbh I couldn't come up with a different way off the top of my head either this sounds like an interesting problem
crossbeau
crossbeau•6d ago
may I dm you ?
Idle
IdleOP•6d ago
sure
crossbeau
crossbeau•6d ago
friend request me 🙂
Want results from more Discord servers?
Add your server