Hi, Graham; Yes, it should work fine... I use this kind of config a TON at $dayjob. It's very strange httpd would say none are configured. Is it possible the directives you've listed are in a different vhost? Maybe there are some bread crumbs with trace8 logs during start up? You could also maybe try moving all of the directives to the server level and see if we may have an unexpected merge problem.
You should at least see information about loading the key pair and what the client-side chain looks like from SSLProxyMachineCertificateChainFile on trace8. -- Daniel Ruggeri On January 5, 2019 8:10:20 AM CST, Graham Leggett <minf...@sharp.fm> wrote: >Hi all, > >I am trying to connect an httpd reverse proxy to a backend tomcat, and >have this particular hop protected by a client certificate. > >The error I get is: > >[Sat Jan 05 14:02:54.252552 2019] [ssl:warn] [pid 16448:tid >139929388369664] AH02268: Proxy client certificate callback: >(jira.example.com:443) downstream server wanted client certificate but >none are configured > >Ok, so httpd is telling me that the tomcat has requested a client >certificate (entirely true) but httpd is not configured with a client >certificate. > >Except httpd is configured with a client certificate, as follows: > > SSLProxyEngine on > SSLProxyMachineCertificateFile /etc/pki/httpd/client.cert > SSLProxyMachineCertificateChainFile /etc/pki/httpd/client.chain > SSLProxyCACertificateFile /etc/pki/httpd/client-ca.crt > SSLProxyVerify require > SSLProxyVerifyDepth 3 > >Does this functionality work in httpd v2.4.35, or is it configured >incorrectly? > >(As soon as I can get this working, I would like to fix our docs to be >clear how to do this) > >Regards, >Graham >—