SSL_CLIENT_CERT seem not to be respected when

[SergeyXa]

Hello everyone,

I'm trying to run SignServer CE behind Traefik using client certificate authentication via the SSL_CLIENT_CERT HTTP header, but SignServer does not seem to recognize the header.

Environment

• Image: keyfactor/signserver-ce:latest (7.1.1 at the moment of writing)
• TLS disabled in SignServer (TLS_SETUP_ENABLED=false)
• Client cert authentication expected via HTTP header on port 8082

Docker Compose (excerpt):

  signserver:
    image: keyfactor/signserver-ce:latest
    container_name: signserver
    depends_on:
      db:
        condition: service_healthy
    environment:
      DATABASE_JDBC_URL: jdbc:mariadb://db:3306/signserver
      DATABASE_USER: signserver
      DATABASE_PASSWORD: signserverpass
      DATABASE_DRIVER: org.mariadb.jdbc.Driver
      PROXY_HTTP_BIND: 0.0.0.0
      TLS_SETUP_ENABLED: false
      ALLOW_ANY: true
    volumes:
      - signserver-data:/opt/signserver/data
      - signserver-logs:/opt/signserver/logs
      - signserver-conf:/opt/signserver/conf
      - ./ca.pem:/mnt/external/secrets/tls/cas/ManagementCA.crt:ro
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost:8081/signserver/healthcheck/signserverhealth || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 60s
    restart: unless-stopped
    networks:
      - internal
      - traefik
    ports:
      - 8082:8082

I am intentionally bypassing Traefik for now and accessing port 8082 directly to rule out proxy issues.

According to the Docker image [documentation]:

Port 8082 will accept the SSL_CLIENT_CERT HTTP header.

Test request
I send a request directly to port 8082 (example via Insomnia):

> GET /signserver/adminweb/ HTTP/1.1
> Host: docker.tt.local:8082
> User-Agent: insomnia/2023.5.8
> SSL_CLIENT_CERT: MIIFHDCCAwSgAw...(this is the content of PEM file, with the first ---BEGIN CERTIFICATE---, the last ---END CERTIFICATE--- lines, and newlines removed),..V1whdi0F4Q==
> Accept: */*

Result

• HTTP response: HTTP/1.1 500 Internal Server Error
• Server log error: Client certificate authentication required

Following is the log excerpt right after the request, just in case:

2025-12-16 09:37:02,427+0000 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /signserver/adminweb/: jakarta.servlet.ServletException: Client certificate authentication required
        at [email protected]//jakarta.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:709)
        at [email protected]//jakarta.faces.webapp.FacesServlet.service(FacesServlet.java:449)
        at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
        at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at deployment.signserver.ear//org.signserver.web.common.filters.NoCacheFilter.doFilter(NoCacheFilter.java:41)
        at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
        at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at deployment.signserver.ear//org.signserver.web.common.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:184)
        at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
        at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at deployment.signserver.ear//org.signserver.web.common.owasp.filters.ClickjackFilter.doFilter(ClickjackFilter.java:38)
        at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
        at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
        at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
        at [email protected]//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
        at [email protected]//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
        at [email protected]//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
        at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
        at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
        at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
        at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at [email protected]//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
        at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:60)
        at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at org.wildfly.security.elytron-web.undertow-server-servlet@4.1.0.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
        at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:44)
        at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:51)
        at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
        at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276)
        at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132)
        at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
        at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
        at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
        at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
        at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421)
        at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256)
        at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101)
        at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:393)
        at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859)
        at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
        at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
        at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.signserver.admin.web.ejb.NotLoggedInException: Client certificate authentication required
        at deployment.signserver.ear.SignServer-Admin-web-7.1.1.war//org.signserver.admin.web.AuthenticationBean.getAdminCertificate(AuthenticationBean.java:55)
        at deployment.signserver.ear.SignServer-Admin-web-7.1.1.war//org.signserver.admin.web.AuthenticationBean.getUserDisplayName(AuthenticationBean.java:63)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at [email protected]//jakarta.el.BeanELResolver.getValue(BeanELResolver.java:198)
        at [email protected]//com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:139)
        at [email protected]//com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:164)
        at [email protected]//org.glassfish.expressly.parser.AstValue.getValue(AstValue.java:302)
        at [email protected]//org.glassfish.expressly.parser.AstValue.getValue(AstValue.java:144)
        at [email protected]//org.glassfish.expressly.ValueExpressionImpl.getValue(ValueExpressionImpl.java:138)
        at [email protected]//org.jboss.weld.module.web.el.WeldValueExpression.getValue(WeldValueExpression.java:50)
        at [email protected]//com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:73)
        at [email protected]//jakarta.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:206)
        at [email protected]//jakarta.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:175)
        at [email protected]//jakarta.faces.component.UIOutput.getValue(UIOutput.java:134)
        at [email protected]//com.sun.faces.renderkit.html_basic.HtmlBasicInputRenderer.getValue(HtmlBasicInputRenderer.java:163)
        at [email protected]//com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getCurrentValue(HtmlBasicRenderer.java:303)
        at [email protected]//com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeEnd(HtmlBasicRenderer.java:135)
        at [email protected]//jakarta.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:585)
        at [email protected]//jakarta.faces.component.UIComponent.encodeAll(UIComponent.java:1442)
        at [email protected]//jakarta.faces.component.UIComponent.encodeAll(UIComponent.java:1438)
        at [email protected]//jakarta.faces.component.UIComponent.encodeAll(UIComponent.java:1438)
        at [email protected]//com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:449)
        at [email protected]//com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:160)
        at [email protected]//jakarta.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:125)
        at [email protected]//com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:93)
        at [email protected]//com.sun.faces.lifecycle.Phase.doPhase(Phase.java:72)
        at [email protected]//com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:150)
        at [email protected]//jakarta.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:692)
        ... 57 more

I see no indication in the logs whether:

• the SSL_CLIENT_CERT header was read but rejected, or
• the header was not processed at all.

Questions

• What exact format is expected for SSL_CLIENT_CERT?
  • PEM vs base64-encoded DER?
  • URL-encoded or raw?
• Is additional SignServer or WildFly configuration required to enable header-based client cert authentication?

Any guidance or confirmation of the correct setup would be very helpful.

Thanks in advance.