1

I've setup client certificate validation in apache and it's working just fine. However I'd like to disable the client certificate validation on specific page.

Here's the config I use so far :

# Verify client certificates
SSLCACertificateFile /etc/my-webserver/ssl/CA.pem
SSLVerifyClient require
SSLVerifyDepth  1

<Location "/public">
    SSLVerifyClient none
</Location>

The problem is that when trying to access /public I still get prompted for a certificate.

The official documentation gives an example on how to do the opposite (i.e. Only enable certificate validation on a specific page).

I was unable to find anything to anwer my problem.

NaviR
  • 50
  • 10

1 Answers1

1

As this is the top hit when searching for this exact problem and it's rather frustrating to see that there's no answer, I'm gonna comment on a 3 year old thread to spare others that same frustration.

Here's my solution for this problem. You just exclude the location the moment you set SSLVerifyClient to require and surround it with if statements to exclude your endpoint.

    <If "%{REQUEST_URI} == '/public'">
            SSLVerifyClient none
    </If>
    <Else>
            SSLVerifyClient require
    </Else>
    SSLVerifyDepth  5

Here's a little more information about this: https://httpd.apache.org/docs/2.4/expr.html Maybe you need --strmatch to work with wildcards

Xzenor
  • 121
  • 4
  • Thanks for taking the time to reply even after 3 years – NaviR Aug 31 '22 at 10:20
  • @NaviR yeah, it's probably not much help to you anymore but for all those other people that end up here from Google (like I did) it might still be useful. – Xzenor Sep 02 '22 at 08:04