Task to solve
Put some files on a WebDAV directory that can be accessed over HTTPS, with a certificate and username + password.
The job needs to be automated, files will have to be copied regularly.
Path to resolution
First, I looked up the Cadaver Linux WebDAV client. While it seems to be a capable piece of software, it doesn’t appear to have the feature needed to use the certificate. So, moving on to other alternatives, I found davfs2, which has everything I need.
The server that will mount the WebDAV directory is running a rather oldish SUSE Linux Enterprise Server 9 SP4. Therefore it does not have davfs2 as a package. The only way is to compile it from source. Fortunately it’s not that difficult because davfs2 only depends on a library called neon. This guide applies to SLES10 SP4 too. The plan is now:
- Get neon and compile it
- Get davfs and compile it
- Configure davfs, mount the WebDAV directory and so on
Important note for SLES10: davfs2 needs either FUSE or CODA filesystems. SLES9 has CODA out-of-the-box. SLES10 has neither, because when SLES10 was launched, CODA was getting dusty and FUSE wasn’t written yet 🙂 Fortunately, there are packages for FUSE in this repository: http://download.opensuse.org/repositories/filesystems/SLE_10 Add it and install the package fuse and the two dependencies libfuse2 and licenses. Reboot. Verify that it’s working:
cat /proc/filesystems | grep fuse
1. Compiling neon
- get it the current stable release here (neon-0.29.6.tar.gz at the time of writing this)
- become root
- extract the tar archive
tar --extract --verbose --gzip --file neon-0.29.6.tar.gz cd neon-0.29.6
- To be able to compile you need to have the development environment, that is: gcc, make, glibc-devel, pkgconfig and dependencies that yast2 will resolve. Also install these packages: openssl-devel and zlib-devel. Use YaST2 Install and Remove Software. Then run:
- disable NTLM. That is a Windows authentication protocol. You don’t need it and if you don’t disable it, compilation will not succeed because a required library is not installed. To disable, edit config.h, search for HAVE_NTLM and change that section to this:
/* Define if NTLM is supported */ #define HAVE_NTLM 0
- run make, make install. This will compile the neon library and will install it in /usr/local/lib
make make install
3. Compiling davfs2
- get the current stable release here (davfs2-1.4.6.tar.gz at the time of writing this)
- become root, extract the archive in the same way as with neon above
- add a system user and group davfs2
groupadd --system davfs2 useradd davfs2 --gid davfs2 --shell /bin/false --system --comment "davfs2 system user"
- run configure, make, make install. This will put files in /usr/local/sbin and /usr/local/etc
./configure make make install
3. Configuring davfs2
There will be a system-wide configuration file /usr/local/etc/davfs2/davfs2.conf and an user-specific one in ~/.davfs2/davfs2.conf. The mounted WebDAV directory will usually be accessed by a regular user on the system (example: silviumc). This user has to be added to the davfs2 group that was created when davfs2 was compiled. Use YaST2 Users. To configure davfs2 you only need to edit the user-specific configuration file ~/.davfs2/davfs2.conf.
Adding the certificates
Before doing this, it’s better to test that you can connect to the remote WebDAV directory using Firefox. You would have to import the private certificate and then open the https:// link in the browser. You should be able to download any files that might be there…
Put the client certificate in ~/.davfs2/certs/private/ Mine could be called, for example, silviumc.p12 (it is a binary file). If the client certificate is issued by a fictive authority, you will also need to put the root CA certificate in ~/.davfs2/certs/. If you don’t have this root CA, you can export it from Firefox, if you did the test recommended above. Click on the colored site name at the left of the location bar (it has a tooltip “Verified by SomeCA”). Then click “More information”, “View Certificate”, “Details” and export the fictive root CA. Note that it’s very important for davfs2 to have the root CA certificate and not the server certificate.
Edit the “~/.davfs2/secrets” file
Two lines are needed, one line for the username/password pair, other line for the private certificate password. The secrets file has good explanations of the syntax in the comments. Example lines:
# Credential line /home/silviumc/webdav silviumc "somepassword" # Password for Client Certificate silviumc.p12 "somepassword"
Edit the “~/.davfs2/davfs2.conf” file
Add lines for names of server certificate and client certificate. The “servercert” option is a bit misleading, you have to put there the name of the root CA certificate file. This is the first important “gotcha” 🙂
servercert Fictive_rootCA.pem clientcert silviumc.p12
Also, two more essential gotchas:
use_locks 0 if_match_bug 1
You need the first line if, while trying to write a file to the mounted WebDAV directory, you get an error “File already exists”.
You need the second line if files that you copy to the mounted WebDAV directory seem to “disappear” in a few seconds. Creating directories work, but regular files disappear. They are actually never written on the remote server.
You can also enable debugging if you need it. It was certainly useful for me, that is how I figured out those three critical things described above. I could search the web for errors appearing in debugging mode.
Edit the “/etc/fstab” file
You have to be root to be able to edit “/etc/fstab”. Add a line that should look something like this (replace “silviumc” with your local username):
https://webdav_server.domain.tld/webdav_directory/ /home/silviumc/webdav davfs user,noauto,uid=silviumc,gid=davfs2 0 0
You should now be able to mount the WebDAV directory, as a regular user, this way: