stackoom
  简体   繁体   中英

Error configuring a HTTPS forward proxy (AH02268: downstream server wanted client certificate but none are configured)

 原文  2020-06-11 17:45:27       apache/ ssl/ proxy/ openssl

Question

I think I'm doing several mistakes together, but I'm stuck and I'm going out crazy. And I guess the question has already been posed, but, even searching a lot, I could not find this exact case posted anywhere.

The task I'm working to is calling a remote HTTPS server through a proxy:

wget http://localhost/remote?wsdl

points to

https://someserver.com/service?wsdl

In a diagram:

       (http)            (https)
client ------> localhost -------> someserver.com

Using the wonderful Apache web server (really, not kidding).

The certificate exchange occurs between the proxy and the remote server and I already installed the client certificate with the private key onboard of the proxy. The customer gave me the certificates in a .p12 file.

Trying to test the wanted webservice with SoapUI and the same certificates, I got the expected behavior (everything is working fine). But now I have to call services from a middleware. For this I'm configuring a SSL Proxy with Apache.

I tried to do this in 2 ways, both unsuccessful:

1) Defining a proxy and defining the SSL parameters respectively in two files: 

/etc/apache2/conf.d/mods-available/ssl.conf
/etc/apache2/conf.d/mods-available/proxy.conf

The first file contains:

# /etc/apache2/conf.d/mods-available/ssl.conf
SSLPassPhraseDialog  exec:/usr/local/etc/apache2/pwf.sh # to avoid manuallly entering passphrase
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

ErrorLog /var/log/ssl_error_log
TransferLog /var/log/ssl_access_log
LogLevel warn

SSLEngine off
SSLProtocol all -SSLv2

SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/certificate.pem
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/chain.pem

CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

And the second file contains:

# /etc/apache/conf.d/mods-available/proxy.conf
SetEnv proxy-sendcl 1

SSLProxyEngine On

ProxyPass /remote https://someserver.com/service
ProxyPassReverse /remote https://someserver.com/service

I enabled these modules via:

sudo a2enmod proxy & a2enmod ssl

2) Defining a Virtual Host 

/etc/apache2/conf.d/sites-available/remote.conf

this method being mutually exclusive with the previous way:

# 
# remote.local
<VirtualHost SOMEIP:443>

    ProxyRequests on
    DocumentRoot /var/www/html/remote

    ServerName someserver.com

    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile /usr/local/etc/apache2/ssl.crt/certificate.pem
    SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
    SSLCertificateChainFile /usr/local/etc/apache2/ssl.crt/chain.pem
    ProxyPreserveHost On

    ErrorLog ${APACHE_LOG_DIR}/error_remote.log
    CustomLog ${APACHE_LOG_DIR}/access_remote.log combined

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel info

    <Location /remote>
        ProxyPass https://someserver.com/service
        ProxyPassReverse https://someserver.com/service
        Order allow,deny
        Allow from all
    </Location>

</VirtualHost>

I enabled this with:

sudo a2ensite remote

In any of the two ways I try, I get these (identical) errors when I try to access the local URL:

[Thu Jun 11 18:39:15.724705 2020] [ssl:warn] [pid 30578] AH02268: Proxy client certificate callback: (localhost:80) downstream server wanted client certificate but none are configured
[Thu Jun 11 18:39:15.794381 2020] [proxy_http:error] [pid 30578] (20014)Internal error (specific information not available): [client ::1:49118] AH01102: error reading status line from remote server someserver.com:443
[Thu Jun 11 18:39:15.794585 2020] [proxy:error] [pid 30578] [client ::1:49118] AH00898: Error reading from remote server returned by /remote/

The chain of certificates is OK:

openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout

Shows me all the certificate issuer and subject for CA, intermediate and server certificate:

openssl verify -CAfile ca.pem -untrusted chain.pem certificate.pem 

certificate.pem: OK

Any suggestion will be appreciated, thanks in advance.

1 answers

solution1
 1 ACCPTED  2020-06-12 12:58:02

I missed to configure the certificate for the Reverse Proxy, namely the section

SSLProxyMachineCertificateFile

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How apache reverse proxy can be configured without breaking the https tunnel between client & server? Configuring WHMCS 500 Server Error In Client Area How to call the https get method on a self signed server and client certificate Configuring SSL client certificate in android app for client authentication in web server on tomcat Flask App Getting AH01630: client denied by server configuration error in Apache error accessing web htaccess AH01797: client denied by server configuration How to resolve or eliminate `AH01630: client denied by server configuration` error? AH00526:Wamp server starting error configuring reverse proxy https with multiple certificates with Apache Configuring Apache as reverse proxy to Tomcat using https
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM