eclipse
Hawkbit auth not working with client certificate
Hi everyone, I installed Hawkbit on an Amazon EC2 instance from sources. The database is configured with mariadb and it works fine. The hawkbit instance runs at localhost address on port 8080 without SSL encryption, behind a nginx reverse proxy that is using https protocol. The main goal is to update the devices using swupdate (rel.2019.11) and it works fine with targettoken and gatewaytoken, but not with client certificate authentication. Here are the config files:
NGINX REVERSE PROXY CONFIG FILE stored in /etc/nginx/conf.d/hawkbit.conf
server {
listen 80;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 300M;
listen 443 ssl;
ssl_certificate /opt/hawkbit/cacerts/sslcert.crt;
ssl_certificate_key /opt/hawkbit/cacerts/sslcert.key;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
server_name hawkbit.example.it;
# client certificate
ssl_client_certificate /etc/nginx/client_certs/caroot.cer;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_ssl_certificate /etc/nginx/client_certs/chain.cer;
proxy_ssl_certificate_key /etc/nginx/client_certs/client.key;
proxy_set_header Host $http_host;
proxy_pass http://localhost:8081/;
}
}
HAWKBIT SERVICE in /etc/systemd/system/hawkbit.service
[Unit]
Description=Hawkbit
After=syslog.target
After=network.target
[Service]
Type=simple
User=admin
ExecStart=/usr/bin/java -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses -jar /opt/hawkbit/hawkbit-runtime/hawkbit-update-server/target/hawkbit-update-server-0.3.0-SNAPSHOT.jar -v
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=hawkbit
[Install]
WantedBy=multi-user.target
And the process started as expected:
admin 1251 0.1 6.8 4577092 552492 ? Ssl Apr30 9:00 /usr/bin/java -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses -jar /opt/hawkbit-8080/hawkbit/hawkbit-runtime/hawkbit-update-server/target/hawkbit-update-server-0.3.0-SNAPSHOT.jar -v
I am sure the certificates are correct and I tried them using openssl options.
$ openssl x509 –noout –modulus –in client.cer | openssl md5
(stdin)= d41d8cd98f00b204e9800998ecf8427e
$ openssl rsa –noout –modulus –in client.key | openssl md5
(stdin)= d41d8cd98f00b204e9800998ecf8427e
$ openssl req –noout –modulus –in client.csr | openssl md5
(stdin)= d41d8cd98f00b204e9800998ecf8427e
WAY FOR CREATION OF CHAIN CERTIFICATE:
cat client.cer caroot.cer > chain.cer
SWUPDATE SURICATTA SECTION
suricatta :
{
tenant = "default";
id = "GN77500_SN100";
confirm = 0;
url = "https://hawkbit.example.it";
polldelay = 20;
nocheckcert = true;
retry = 4;
retrywait = 200;
enable = true;
cafile = "/etc/swupdate/CertificateIssuer.crt";
sslkey = "/etc/swupdate/client.key";
sslcert = "/etc/swupdate/chain.cer";
loglevel = 10;
};
the common name in client certificate is the same sets in the suricatta section or in the following curl command as stated below:
put fingerprint into hawkbit configuration
CURL COMMAND OUTPUT
curl -i -k --cert ./chain.cer --key ./client.key https://hawkbit.example.it/default/controller/v1/GN77500_SN100
HTTP/1.1 401 Unauthorized
Server: nginx/1.14.2
Date: Mon, 04 May 2020 09:35:15 GMT
Transfer-Encoding: chunked
Connection: keep-alive
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Many thanks in advance to anyone who help me to solve the above issue!
Max
Hi,
I dealed with the same issue but there are workarounds, you could disable completely the autentication in hawkbit and let Nginx completely handle the security (probably better) :
https://github.com/eclipse/hawkbit/issues/723
hawkbit.server.ddi.security.authentication.anonymous.enabled=true
Of course you should setup the firewall to block the Hawkbit port 8081 in your case to be accessible only from the localhost!
Moreover I would Not recommend to use any security features in Hawkbit ! It's based on old Java 8 which has tons of vulnerabilities...
@papipano it's hard to tell what's going wrong here without having any logs. Maybe you have a more detailed look at the validation here.
@papipano any news here? I am also struggling with the same issue atm.
Hi, I am just reaching out because I figured it out and @papipano problem looks like mine and I want to prevent this https://xkcd.com/979/ 😊
I found following essential information https://gitter.im/eclipse/hawkbit?at=5a72f4cc4a6b0dd32b75fbcd and I adjusted my Nginx configuration to proxy_set_header the two headers like this:
proxy_set_header X-Ssl-Client-Cn $ssl_client_s_dn_cn;
proxy_set_header X-Ssl-Issuer-Hash-1 Hawkbit;
Important is that the X-Ssl-Client-Cn must be also the ID of the target within our Hawkbit instance means, create a new Target called Target05. Then the request which is forwared to Hawkbit needs to have this value of Taget05 in it.
I solved it with the map module in Nginx to extract the CN out of the cert.
You also need to but the SSL-Issuer-Hash in your Hawkbit Settings and need to sent this value to make it work.
Cheers!
Hi all, sorry for my late response but I was busy with other tasks and I didn't work on hawkbit for a long time.
Above all, thanks to @midnightrun for posting his solution.
I am just reaching out because I figured it out and @papipano problem looks like mine and I want to prevent this https://xkcd.com/979/ 😊
I found following essential information https://gitter.im/eclipse/hawkbit?at=5a72f4cc4a6b0dd32b75fbcd and I adjusted my
Nginxconfiguration toproxy_set_headerthe two headers like this:
I read that information too, and I tried to implement the solution @midnightrun posted.
proxy_set_header X-Ssl-Client-Cn $ssl_client_s_dn_cn; proxy_set_header X-Ssl-Issuer-Hash-1 Hawkbit;
I put the 2 variables and the map in the hawkbit.conf (as in the file below)
map $ssl_client_s_dn $ssl_client_s_dn_cn
{
default "";
~,CN=(?[^,]+) $CN;
};
server
{
listen 80;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 300M;
listen 443 ssl;
ssl_certificate /opt/hawkbit/cacerts/sslcert.crt;
ssl_certificate_key /opt/hawkbit/cacerts/sslcert.key;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
server_name hawkbit.example.it;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_set_header X-Ssl-Client-Cn $ssl_client_s_dn_cn;
proxy_set_header X-Ssl-Issuer-Hash-1 Hawkbit;
proxy_ssl_verify on;
proxy_pass http://localhost:8081/;
}
}
>
> Important is that the `X-Ssl-Client-Cn` must be also the ID of the target within our Hawkbit instance means, create a new Target called `Target05`. Then the request which is forwared to Hawkbit needs to have this value of `Taget05` in it.
>
The client certificate CN is GN77500_SN100, and the curl command:
curl -i --cert ./chain.cer --key ./client.key https://hawkbit.example.it/default/controller/v1/GN77500_SN100
>
> I solved it with the map module in Nginx to extract the CN out of the cert.
>
But, even I change the hawkbit.conf file as described above, I still have the same error: 401 Unauthorized, and I'm still stuck here!
>
> You also need to but the `SSL-Issuer-Hash` in your Hawkbit Settings and need to sent this value to make it work.
>
So all the rest is quite clear, but I don't understand what does it mean... Where have I to change the Hawkbit settings? In applcation.properties? Or where else?
Pls. help me to find a solution.
Many thanks in advance.
Max
but I don't understand what does it mean... Where have I to change the Hawkbit settings?
I think the chat is referring to the expected hash you have to provide within the system config UI so hawkBit is able to proof that the given issuer hash is the one you expect
Hi,
I dealed with the same issue but there are workarounds, you could disable completely the autentication in hawkbit and let Nginx completely handle the security (probably better) :
#723
hawkbit.server.ddi.security.authentication.anonymous.enabled=trueOf course you should setup the firewall to block the Hawkbit port 8081 in your case to be accessible only from the localhost!
Moreover I would Not recommend to use any security features in Hawkbit ! It's based on old Java 8 which has tons of vulnerabilities...
I can't read the link because it says "Could not find any vulnerabilities matching the requested criteria". Would you please tell me what vulnerability it is so that I can investigate if it is currently resolved?
