Am 05.01.2019 um 15:10 schrieb Graham Leggett:
Hi all,
I am trying to connect an httpd reverse proxy to a backend tomcat, and have
this particular hop protected by a client certificate.
The error I get is:
[Sat Jan 05 14:02:54.252552 2019] [ssl:warn] [pid 16448:tid 139929388369664]
AH02268: Proxy client certificate callback: (jira.example.com:443) downstream
server wanted client certificate but none are configured
Ok, so httpd is telling me that the tomcat has requested a client certificate
(entirely true) but httpd is not configured with a client certificate.
Except httpd is configured with a client certificate, as follows:
SSLProxyEngine on
SSLProxyMachineCertificateFile /etc/pki/httpd/client.cert
SSLProxyMachineCertificateChainFile /etc/pki/httpd/client.chain
SSLProxyCACertificateFile /etc/pki/httpd/client-ca.crt
SSLProxyVerify require
SSLProxyVerifyDepth 3
Does this functionality work in httpd v2.4.35, or is it configured incorrectly?
(As soon as I can get this working, I would like to fix our docs to be clear
how to do this)
Since you mention 2.4.35 explicitly, the following changelog entries
come to my mind:
2.4.37
*) mod_ssl: Correctly merge configurations that have client
certificates set by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
2.4.36
*) mod_ssl: Fix a regression that the configuration settings for
verify mode and verify depth were taken from the frontend connection in
case of connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
The first got broken likely in 2.4.30, the second was reported for
2.4.34 and was only fixed in 36, so it should be broken in 35 as well.
The first has the additional log info (r1844226):
The certificates and keys loaded during configuration time got lost
during runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on
virtual host level and there was an SSL directive at directory level,
e.g. SSLRequire.
This fixes a regression likely introduced in r1740928 (backported in
r1824187).
Backport of r1844002 from trunk.
Regards,
Rainer