[Sebb767]

> Failure leads to weird redirects for which you can't really fall back to a login prompt because the auth happens on TLS level and a token in HTTP can't replace that.

That's not true. nginx, for example, let's you return a custom response, which can easily be a 302 to the login page.

But I agree with all other points. On a sidenote, there's also the great option of using a CA for your client certificates while still using a normal CA for your https certificate - you don't have the worry of installing a root certificate on all clients and still have a nice, valid https connection in the browser. Unfortunately, hardly any tutorials pointed this out and used their own CA for everything instead.

[jeroenhd]

> Unfortunately, hardly any tutorials pointed this out and used their own CA for everything instead.

I think this is one of the reasons so few people consider using TLS auth. There aren't many guides out there, and many of the ones that are easily accessible use a custom CA deployment that's an absolute pain to manage (custom TLS certs on websites with a custom ACME server or manual certificate generation, and so on).

Sometimes I feel like writing my own guide, but I'm not 100% confident that I'd get everything right.

[ViViDboarder]

I’ve been in this boat and have documented weird bugs and things that don’t work, but yet to write something about a working configuration.

I wanted to use mTLS for self hosted services and it took a while to come up with something that worked well in browsers, but apps on iOS and Android basically can’t use the certs making it fruitless.