Hi Frank,

My vhost looks as below. Anything incorrect set? I do have proxy.conf file but 
nothing related to SSL set in there. I will test apachectl -S and share you the 
result.

<VirtualHost _default_:PORT>

SSLEngine on
ProxyRequests Off
RewriteEngine on
SSLProxyEngine on
SSLProxyVerify on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLVerifyCLient require
SSLVerifyDepth 10
SSLProxyVerifyDepth 10
SSLOptions +ExportCertData
SSLProxyMachineCertificateFile "/path/to/certs/Appcert.pem"
SSLProxyCACertificateFile "/path/to/certs/trustedca.pem"
SSLCertificateFile "/path/to/hostname.crt"
SSLCertificateKeyFile "/path/to/hostname.key"
SSLCertificateChainFile "/path/to/hostname.crt"
SSLCACertificateFile "/path/to/trustedca.pem"


SSLProtocol -All +TLSv1.2 +TLSv1.1

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

</VirtualHost>

Regards,
Devendra


From: Frank Gingras <thu...@apache.org>
Sent: Thursday, April 18, 2024 7:19 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

On Thu, Apr 18, 2024 at 3: 22 AM Daiya, Devendra singh <Devendra. S. Daiya@ 
wellsfargo. com. invalid> wrote: Hi Team, Need help in setting up MTLS between 
Apache HTTP server and Weblogic server (App Server). I have gone through few 
links but



On Thu, Apr 18, 2024 at 3:22 AM Daiya, Devendra singh 
<devendra.s.da...@wellsfargo.com.invalid<mailto:devendra.s.da...@wellsfargo.com.invalid>>
 wrote:
Hi Team,

Need help in setting up MTLS between Apache HTTP server and Weblogic server 
(App Server).

I have gone through few links but those are not working. Post following 
suggested steps I was able to start Apache HTTP server but Application is not 
working. Getting below messages in the Error while accessing the application.

Could anyone please look at it and share some suggestion on how we should setup 
MTLS b/w Web and App server. Please let me know if any additional info needed.

Error message: -

"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : },
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }
"message" : "AH01998: Connection closed to child 138 with abortive shutdown 
(server hostname:port , "referer" : }
"message" : "AH01964: Connection to child 24 established (server 
hostname:port)" , "referer" : }
"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : }
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }

SSL.conf file has below directives set.


SSLEngine on

ProxyRequests Off

RewriteEngine on

SSLProxyEngine on

SSLProxyVerify on

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off

SSLVerifyCLient require

SSLVerifyDepth 10

SSLProxyVerifyDepth 10



SSLOptions +ExportCertData



SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"

SSLProxyCACertificateFile "/apps/certs/trustedca.pem"



SSLCertificateFile "/path/to/hostname.crt"

SSLCertificateKeyFile "/path/to/hostname.key"

SSLCertificateChainFile "/path/to/hostname.crt"

SSLCACertificateFile "/path/to/trustedca.pem"


Thanks.

Regards,
Devendra

Rough guess:

 
http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost<https://urldefense.com/v3/__http:/httpd.apache.org/docs/current/mod/mod_proxy.html*proxypreservehost__;Iw!!F9svGWnIaVPGSwU!sVWv6DLdgjadPqzGD4Ud11pz4_vSBNt67dxHJCeLMZjSt_GUyGv62vgN_DRp6iHDNgIf9-q7_VVeyVaKME94UHFD$>

Otherwise, we would need to see the full vhost.

Might be worth running apachectl -S to make sure you don't have misconfigured / 
overlapping vhosts, as well.


Reply via email to