Page 1 of 1

Client SIide SSL: Login with an SSL certificate.

Posted: 25 May 2016, 02:21
by joshp
This will show you how to log on to TT-RSS with a client side SSL certificate. This is a nice option that provides you a secure, no-click method for signing in.

NOTE: If you don't know what client side ssl is, check this out...

This guide assumes a secure connection to tt-rss under apache, and so the configuration examples make these assumptions. It should be easy to set this up without server side SSL, and in other environments. However...

To achieve server side SSL, do one of the following
  • Generate your own CA and sign your own certs
    • perhaps try TinyCA, a nice fronted for OpenSSL
  • Use a trusted CA such as Lets Encrypt.
    • If you do this you will still have to generate a CA of your own later.

If you have any trouble setting up server side ssl, seek answers elsewhere. The links provided should be useful enough. This is included here only to highlight the difference between server and client side certs, and to briefly demonstrate how client side certs fit into the equation.

With or without server side SSL, you will have to enable mod SSL in apache with

Code: Select all

sudo a2enmod ssl

If you are already running server side SSL or are choosing to ignore it altogether, you will still either have to create a CA cert or use a pre-existing one, and use it to sign a client key/cert for use in your client. Your CA cert will have to be uploaded to your server.

Once you have your client key/cert, install it into your browser.


Now that you

  • know what a CA is
  • have a CA cert on your server
  • know the difference between client and server side certificates
  • have a client certificate installed in your browser
  • have SSL enabled on your server
  • optionally have server certificates installed on your server
Put something like this in your virtual host config file:

Code: Select all

<VirtualHost my.ip.address:443>

   SSLEngine on                                                               

   Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
   SSLProtocol all -SSLv2 -SSLv3                                       
     SSLHonorCipherOrder     on
   SSLCompression          off
   ServerSignature Off
   AcceptPathInfo Off
   AddOutputFilterByType DEFLATE text/html text/plain text/xml application/pdf
   AddDefaultCharset UTF-8
   SSLOptions +StrictRequire 
   SSLCertificateKeyFile /path/to/your/privkey.pem
   SSLCertificateFile /path/to/your/cert.pem
   SSLCertificateChainFile /path/to/your/chain.pem


      # the following line can be set to "required"
   SSLVerifyClient optional
   SSLVerifyDepth 10
   SSLOptions +StdEnvVars +ExportCertData

   SSLCACertificateFile /path/to/your/CA.pem
   DocumentRoot /var/www/ttrss/
   <Directory /var/www/ttrss/>
           Options +FollowSymLinks
           AllowOverride All
           order allow,deny
           allow from all

   ErrorLog /var/log/apache2/error-ttrss.log

   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   LogLevel debug

Obviously change the file to suit your needs, restart apache, and enable the auth_remote plugin in tt-rss. It's a system plugin and must be enabled in config.php.

Go to your ttrss preferences and register your cert with ttrss. Log out and reload the page. You may have to completely close and reopen your browser for everything to take effect.

At this point, when you load your ttrss page you should be presented with an option to associate a cert with the site, and then you are taken right to the app without having to log in.


Let's eliminate that annoying popup. This works (has been tested) for Chromium users in Linux. We will be adding the AutoSelectCertificateForUrls policy to Chrome.

Just create the file /etc/chromium-browser/policies/managed/cert-autoload.json with the following contents

Code: Select all

   "AutoSelectCertificateForUrls": ["{\"pattern\":\"https://EXAMPLE.DOMAIN.COM\",\"filter\":{\"ISSUER\":{\"CN\":\"YOUR_CA\"}}}", "{\"pattern\":\"https://DOMAIN.COM\",\"filter\":{\"ISSUER\":{\"CN\":\"YOUR_CA\"}}}"],

replacing the obvious example.domain and YOUR_CA with your own values. The example above shows how to incorporate more than one rule into the policy. The link provided should make it fairly easy to figure out how to change this up for chrome not chromium, and mac/windows, etc.


Using this there is never a need to login or authenticate against tt-rss in any way from the machine that has this cert loaded and policy set, for so long as your cert is valid.