asp.net-coressl-certificatecloudflaressl-client-authentication

Certificate validation failed: validation of client side certificate fails when the certificate is validated


I am trying to get mutual client certification to work in Azure. I am running a web app with this configuration:

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services
            .AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
        .AddCertificate();

        services.AddCertificateForwarding(options =>
            options.CertificateHeader = "X-ARR-ClientCert");

        services.AddHttpClient();
        services.AddControllers();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseAuthentication();
        app.UseHttpsRedirection();
        app.UseRouting();
        app.UseCertificateForwarding();
        app.UseAuthorization();
        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

In extension to this, I have added so the web app sends the client certificate through to my app. When I deploy it, it is fine. I have cloudflare in front and have enabled the Origin Pull, and I can validate that the client certificate is sent through. I can see that when I try to go to the web app directly on the azurewebsites.net domain, my browser is asking for a certificate. If I try to go through Cloudflare, it will show the webpage. I thought this was working, but when I check the logs, I get this:

2020-07-02 13:30:52.711 +00:00 [Information] Microsoft.AspNetCore.Hosting.Diagnostics: Request starting HTTP/1.1 GET https://[REMOVED]/api/ping

2020-07-02 13:30:52.718 +00:00 [Trace] Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware: All hosts are allowed.

2020-07-02 13:30:53.107 +00:00 [Warning] Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler: Certificate validation failed, the subject was OU=Origin Pull, O="Cloudflare, Inc.", L=San Francisco, S=California, C=US.UntrustedRoot A certificate chain processed but terminated in a root certificate which is not trusted by the trusted provider. RevocationStatusUnknown The revocation function was unable to check revocation for the certificate.OfflineRevocation The revocation function was unable to check revocation because the revocation server was offline.

2020-07-02 13:30:53.107 +00:00 [Information] Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler: Certificate was not authenticated. Failure message: Client certificate failed validation.

2020-07-02 13:30:53.110 +00:00 [Debug] Microsoft.AspNetCore.Routing.Matching.DfaMatcher: 1 candidate(s) found for the request path '/api/ping'

It looks like the client certificate isn't accepted. Should it be? I mean, it is Cloudflare. Am I doing something wrong in my setup? Should I install something extra on my side? I have looked through this guide here: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls and it doesn't mention anything about extra installation of certificates. Should I maybe install the origin-pull-ca.pem on the web app itself?

When I compare the certificate sent to me, with the origin-pull-ca.pem, the two is not equal:

Shouldn't they be equal?

Please note: I am not an expert into certificates, SSL, etc. I am trying to learn here :)


Solution

  • Exactly same question I asked here https://community.cloudflare.com/t/manual-authenticated-origin-pulls-verification/145614. Dunno why, but A27996CBA564D24731BC76439C48920C1F7D4AA3 it's correct.

    EDIT: Update with chain

    public class CloudflareClientCertificateMiddleware
    {
        private static X509Certificate2 _cloudflareOriginPullCert;
        private readonly RequestDelegate _next;
    
        public CloudflareClientCertificateMiddleware(RequestDelegate next)
        {
            _next = next;
        }
    
        public async Task Invoke(HttpContext context)
        {
            if (_cloudflareOriginPullCert == null)
                _cloudflareOriginPullCert = Helpers.CertificateHelper.GetCertificateInSpecifiedStore("origin-pull.cloudflare.net", StoreName.Root, StoreLocation.LocalMachine);
    
            bool isCloudflareCertificate = true;
            X509Certificate2 clientCertificate = context.Connection.ClientCertificate;
    
            using (X509Chain chain = new X509Chain())
            {
                chain.ChainPolicy.ExtraStore.Add(_cloudflareOriginPullCert);
                chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
                // https://stackoverflow.com/questions/6097671/how-to-verify-x509-cert-without-importing-root-cert (Azure)
                //chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
    
                // https://stackoverflow.com/a/7332193
                if (clientCertificate == null || chain.Build(clientCertificate) == false)
                    isCloudflareCertificate = false;
                // Make sure we have the same number of elements.
                if (isCloudflareCertificate && chain.ChainElements.Count != chain.ChainPolicy.ExtraStore.Count + 1)
                    isCloudflareCertificate = false;
    
                // Make sure all the thumbprints of the CAs match up.
                // The first one should be 'primaryCert', leading up to the root CA.
                if (isCloudflareCertificate)
                {
                    for (int i = 1; i < chain.ChainElements.Count; i++)
                    {
                        if (chain.ChainElements[i].Certificate.Thumbprint != chain.ChainPolicy.ExtraStore[i - 1].Thumbprint)
                            isCloudflareCertificate = false;
                    }
                }
            }
    
            if (isCloudflareCertificate)
                await _next.Invoke(context);
            else
                context.Response.StatusCode = StatusCodes.Status403Forbidden;
        }
    }