Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic
On Mon, Apr 22, 2024 at 3:51 PM Daiya, Devendra singh wrote: > > SSLVerifyCLient require > SSLVerifyDepth 10 These directives apply to the client/browser connection, so you are effectively enabling mtls on the client side too, hence the error messages ("AH02008: SSL library error 1 in handshake (server hostname:port)" and "SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate") if the client isn't providing a certificate. You should probably remove them if you only want mtls with the backend server. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic
Hi Frank, My vhost looks as below. Anything incorrect set? I do have proxy.conf file but nothing related to SSL set in there. I will test apachectl -S and share you the result. SSLEngine on ProxyRequests Off RewriteEngine on SSLProxyEngine on SSLProxyVerify on SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLVerifyCLient require SSLVerifyDepth 10 SSLProxyVerifyDepth 10 SSLOptions +ExportCertData SSLProxyMachineCertificateFile "/path/to/certs/Appcert.pem" SSLProxyCACertificateFile "/path/to/certs/trustedca.pem" SSLCertificateFile "/path/to/hostname.crt" SSLCertificateKeyFile "/path/to/hostname.key" SSLCertificateChainFile "/path/to/hostname.crt" SSLCACertificateFile "/path/to/trustedca.pem" SSLProtocol -All +TLSv1.2 +TLSv1.1 SSLOptions +StdEnvVars BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Regards, Devendra From: Frank Gingras Sent: Thursday, April 18, 2024 7:19 PM To: users@httpd.apache.org Subject: Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic On Thu, Apr 18, 2024 at 3: 22 AM Daiya, Devendra singh wrote: Hi Team, Need help in setting up MTLS between Apache HTTP server and Weblogic server (App Server). I have gone through few links but On Thu, Apr 18, 2024 at 3:22 AM Daiya, Devendra singh mailto:devendra.s.da...@wellsfargo.com.invalid>> wrote: Hi Team, Need help in setting up MTLS between Apache HTTP server and Weblogic server (App Server). I have gone through few links but those are not working. Post following suggested steps I was able to start Apache HTTP server but Application is not working. Getting below messages in the Error while accessing the application. Could anyone please look at it and share some suggestion on how we should setup MTLS b/w Web and App server. Please let me know if any additional info needed. Error message: - "message" : "AH02645: Server name not provided via TLS extension (using default/first virtual host)" , "referer" : }, "message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" , "referer" : } "message" : "SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?" , "referer" : } "message" : "AH01998: Connection closed to child 138 with abortive shutdown (server hostname:port , "referer" : } "message" : "AH01964: Connection to child 24 established (server hostname:port)" , "referer" : } "message" : "AH02645: Server name not provided via TLS extension (using default/first virtual host)" , "referer" : } "message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" , "referer" : } "message" : "SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?" , "referer" : } SSL.conf file has below directives set. SSLEngine on ProxyRequests Off RewriteEngine on SSLProxyEngine on SSLProxyVerify on SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLVerifyCLient require SSLVerifyDepth 10 SSLProxyVerifyDepth 10 SSLOptions +ExportCertData SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem" SSLProxyCACertificateFile "/apps/certs/trustedca.pem" SSLCertificateFile "/path/to/hostname.crt" SSLCertificateKeyFile "/path/to/hostname.key" SSLCertificateChainFile "/path/to/hostname.crt" SSLCACertificateFile "/path/to/trustedca.pem" Thanks. Regards, Devendra Rough guess: http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost<https://urldefense.com/v3/__http:/httpd.apache.org/docs/current/mod/mod_proxy.html*proxypreservehost__;Iw!!F9svGWnIaVPGSwU!sVWv6DLdgjadPqzGD4Ud11pz4_vSBNt67dxHJCeLMZjSt_GUyGv62vgN_DRp6iHDNgIf9-q7_VVeyVaKME94UHFD$> Otherwise, we would need to see the full vhost. Might be worth running apachectl -S to make sure you don't have misconfigured / overlapping vhosts, as well.
Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic
On Thu, Apr 18, 2024 at 3:22 AM Daiya, Devendra singh wrote: > Hi Team, > > > > Need help in setting up MTLS between Apache HTTP server and Weblogic > server (App Server). > > > > I have gone through few links but those are not working. Post following > suggested steps I was able to start Apache HTTP server but Application is > not working. Getting below messages in the Error while accessing the > application. > > > > *Could anyone please look at it and share some suggestion on how we should > setup MTLS b/w Web and App server. Please let me know if any additional > info needed.* > > > > *Error message: -* > > > > "message" : "AH02645: Server name not provided via TLS extension (using > default/first virtual host)" , "referer" : }, > > "message" : "AH02008: SSL library error 1 in handshake (server > hostname:port)" , "referer" : } > > "message" : "SSL Library Error: error:1417C0C7:SSL > routines:tls_process_client_certificate:peer did not return a certificate > -- No CAs known to server for verification?" , "referer" : } > > "message" : "AH01998: Connection closed to child 138 with abortive > shutdown (server hostname:port , "referer" : } > > "message" : "AH01964: Connection to child 24 established (server > hostname:port)" , "referer" : } > > "message" : "AH02645: Server name not provided via TLS extension (using > default/first virtual host)" , "referer" : } > > "message" : "AH02008: SSL library error 1 in handshake (server > hostname:port)" , "referer" : } > > "message" : "SSL Library Error: error:1417C0C7:SSL > routines:tls_process_client_certificate:peer did not return a certificate > -- No CAs known to server for verification?" , "referer" : } > > > > *SSL.conf file has below directives set.* > > > > SSLEngine on > > ProxyRequests Off > > RewriteEngine on > > SSLProxyEngine on > > SSLProxyVerify on > > SSLProxyCheckPeerCN off > > SSLProxyCheckPeerName off > > SSLProxyCheckPeerExpire off > > SSLVerifyCLient require > > SSLVerifyDepth 10 > > SSLProxyVerifyDepth 10 > > > > SSLOptions +ExportCertData > > > > SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem" > > SSLProxyCACertificateFile "/apps/certs/trustedca.pem" > > > > SSLCertificateFile "/path/to/hostname.crt" > > SSLCertificateKeyFile "/path/to/hostname.key" > > SSLCertificateChainFile "/path/to/hostname.crt" > > SSLCACertificateFile "/path/to/trustedca.pem" > > > > > > Thanks. > > > > *Regards,* > > *Devendra* > Rough guess: http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost Otherwise, we would need to see the full vhost. Might be worth running apachectl -S to make sure you don't have misconfigured / overlapping vhosts, as well.
[users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic
Hi Team, Need help in setting up MTLS between Apache HTTP server and Weblogic server (App Server). I have gone through few links but those are not working. Post following suggested steps I was able to start Apache HTTP server but Application is not working. Getting below messages in the Error while accessing the application. Could anyone please look at it and share some suggestion on how we should setup MTLS b/w Web and App server. Please let me know if any additional info needed. Error message: - "message" : "AH02645: Server name not provided via TLS extension (using default/first virtual host)" , "referer" : }, "message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" , "referer" : } "message" : "SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?" , "referer" : } "message" : "AH01998: Connection closed to child 138 with abortive shutdown (server hostname:port , "referer" : } "message" : "AH01964: Connection to child 24 established (server hostname:port)" , "referer" : } "message" : "AH02645: Server name not provided via TLS extension (using default/first virtual host)" , "referer" : } "message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" , "referer" : } "message" : "SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?" , "referer" : } SSL.conf file has below directives set. SSLEngine on ProxyRequests Off RewriteEngine on SSLProxyEngine on SSLProxyVerify on SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLVerifyCLient require SSLVerifyDepth 10 SSLProxyVerifyDepth 10 SSLOptions +ExportCertData SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem" SSLProxyCACertificateFile "/apps/certs/trustedca.pem" SSLCertificateFile "/path/to/hostname.crt" SSLCertificateKeyFile "/path/to/hostname.key" SSLCertificateChainFile "/path/to/hostname.crt" SSLCACertificateFile "/path/to/trustedca.pem" Thanks. Regards, Devendra