https://bz.apache.org/bugzilla/show_bug.cgi?id=63925
Bug ID: 63925
Summary: Wrong "cert does not match for name"
Product: Apache httpd-2
Version: 2.4.6
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 36884
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36884&action=edit
error log file
Setup:
Client --https(443)-- Apache on server1 --https(8443)-- Backend web-server
The attached log file is from "server1".
Vhost config on server1:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot "/var/www/html/wrong/"
ServerName server1.tld1
SSLCertificateFile /etc/letsencrypt/live/server1.tld1/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server1.tld1/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/server1.tld1/chain.pem
LogLevel debug
SSLProxyEngine On
ProxyPreserveHost On
ProxyPass / https://server2.tld2:8443/
ProxyPassReverse / https://server2.tld2:8443/
</VirtualHost>
</IfModule>
mod_ssl is using the http header field "Host:" to check the certificate on a
remote server. Using "ProxyPreserveHost On" in mod_proxy when also using
mod_ssl to communicate with a backend server is unfortunate because
certificates cannot be validated:
[Thu Nov 14 09:14:08.348553 2019] [ssl:debug] [pid 15010] ssl_util_ssl.c(495):
AH02412: [server1.tld1:443] Cert does not match for name 'server1.tld1'
[subject: CN=server2.tld2 / issuer: CN=Let's Encrypt Authority X3,O=Let's
Encrypt,C=US / serial: 123456789 / notbefore: Nov 2 22:22:22 2019 GMT /
notafter: Feb 2 22:22:22 2020 GMT]
This then throws the follwing in error to the client visiting the web site:
Proxy Error
The proxy server could not handle the request GET /.
Reason: Error during SSL Handshake with remote server
I suggest that this bug is being fixed by adding a configuration variable to
mod_ssl so that mod_ssl is using what's in "ProxyPass*" to check that a cert
provided from the backend server is valid or not.
Workaround is to use an other http header, ie "Via:", to tell the backend
server what website to show.
I have attached log file and config file from server1.
To understand the attached log file and config file. Here's it's parameters:
11.11.11.11 = my client
server1.tld1 = apache server (the one that this log is from) this is the
frontend server and is handeling requests from internet (the reverse proxy)
22.22.22.22 and server2.tld2 = the backend server which as several virtual
hosts and hence needs "Host:" to be set correctly
abcdefghi = let's encrypt cert serial (no actual need to keep this hidden, but
i did it anyway)
123456789 = https certificat on my remote server (server2.tld2)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
