Error 400 Bad Request, no ssl certificate was sent

[st3v1s]

I almost have the stigmanager orchestration working properly. I followed the guidance here: https://github.com/NUWCDIVNPT/stigman-orchestration/blob/main/docker-compose.yml. I am using the IronBank repository images as well.

I am able to access Keycloak at https://fqdn/kc/ and then can get to the Keycloak Admin Console and login and see Master and Stig Manager Realm.

When I try to go to https://fqdn/stigman/, I get Error 400 Bad Request, no ssl certificate was sent.

I tried adding NODE_EXTRA_CA_CERTS to the stig manager container environment variables but that did not change anything.

Is there another environment variable I'm missing?

Also in my logs I keep seeing the attached error....

Perhaps something else is needed for nginx?

[cd-rite]

Hi @st3v1s
I don't think that's an error message ("status: 200"). The API seems to be happy, it seems like you just can't talk to it.
If you are using our orchestration for reference, it would probably be NGINX or keycloak that is looking for that cert.
NGINX needs to pass that cert along when it forwards the request to keycloak...
Check out our sample nginx.conf here:
https://github.com/NUWCDIVNPT/stigman-orchestration/blob/main/nginx/nginx.conf

[st3v1s]

cd-rite,

So I have all the certs that nginx needs and have tried identifying a certificate in the Keycloak settings with KC_HTTPS_CERTIFICATE_FILE, but still see same results. I have a CAC card inserted, and if I go to https://fqdn/kc/ I can get to the Login to Keycloak page by selecting ignore the CAC card. If I try going to https://fqdn/stigman, and choose to use the CAC I get the Stig Manager page with a spinning circle and the following error is shown: Ext.Ajax.request() failed.

Now if I go to Keycloak and select the Stigman Realm I see the CAC details in the User list. If I delete this user and go to https://fqdn/stigman I now see the STIG Manager Realm login window?? I tried creating a user but see the same error after going to the next page.

It seems like the https://fqdn/stigman/ is getting stuck going to the Stig Manager Realm login window.

If I don't use the CAC certificate, I immediately get the Error 400 no ssl certificate was sent...what am I missing?? Feel like I'm close.

[cd-rite]

Hi @st3v1s
Do you have the STIGMAN_CLIENT_OIDC_PROVIDER envar set to https://fqdn/kc/realms/stigman ? That setting needs to be from the perspective of the client browser, which sometimes trips people up. The STIGMan UI when loaded needs to redirect users browsers to Keycloak for login.
Are you using a proxy?
You'll want to be sure that Keycloak knows about it, and that the proxy is enforcing cac, and knows about and is forwarding along the certs. From our orchestration repo:
relevant keycloak settings:
- KC_PROXY=edge
- KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
- KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT

relevant nginx conf:
location /kc/ {
proxy_pass http://keycloak:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header ssl-client-cert $ssl_client_escaped_cert;

[st3v1s]

Hi cd-rite,

So I have those settings the the same as you mention. I just changed the STIGMAN_API_ADDRESS from my IP to the fqdn and we are successful!!

Which makes sense since I don't have SSL certificate established for the IP Address.

Thanks for your time.

[cd-rite]

Ahh, great to hear! Nice work! Hope the tool makes dealing with STIGs a bit easier for you, too!