Hello,
Thank you for your response.
I really dont think this is a setup problem since my configuration that
is pushed with Puppet never change for months before the upgrade to
cosmic.
To give you more informations about the setup, i use a Letsencrypt ssl
certificate for the vhost and i had a ssl client authentication to
access this vhost by using my own PKI.
Here is the full vhost configuration:
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerAdmin [email protected]
ServerName xxx.fr
ServerAlias www.xxx.fr
Header always set Strict-Transport-Security "max-age=15724800"
Header always set Public-Key-Pins "max-age=7776000; pin-
sha256=\"V/l9+ViA7bqzrax3MyXRBjSIye7sXH1ERDVqjfTh7AQ=\"; pin-
sha256=\"XYoSDYUn1tbyRUOpOE/6rMCibPqp0NpgBIkNQOFColU=\"; pin-
sha256=\"0f3u6+R1mc6c5c4bsaeEkA+qHUIPfiGlo8e/j/kHwNg=\"; pin-
sha256=\"InkxmlvZJBDx10AL+4Yfuwr060osJDXvs4Ti8yh2b7s=\""
SSLEngine on
SSLCertificateFile /etc/letsencrypt/xxx.fr/ecc/live/xxx.fr.fullchain
SSLCertificateKeyFile /etc/letsencrypt/xxx.fr/ecc/key/xxx.fr.key
SSLCertificateFile /etc/letsencrypt/xxx.fr/rsa/live/xxx.fr.fullchain
SSLCertificateKeyFile /etc/letsencrypt/xxx.fr/rsa/key/xxx.fr.key
SSLCACertificateFile /etc/pki/certs/ca.crt
SSLCARevocationFile /etc/pki/crl/crl.pem
SSLCARevocationCheck chain
SSLOCSPEnable on
<Location "/">
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequireSSL
Require expr ( \
(%{SSL_CLIENT_S_DN_O} == "XXX") && \
(%{SSL_CLIENT_S_DN_OU} == "XXX") \
)
</Location>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:80/
ProxyPassReverse / http://127.0.0.1:80/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"
ProxyAddHeaders Off
RequestHeader set X-Forwarded-Host "www.xxx.fr"
RequestHeader set X-Forwarded-Server "www.xxx.fr"
RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
LogLevel trace8
CustomLog /var/log/apache2/www.xxx.fr/access.log vhost_combined_time
ErrorLog /var/log/apache2/www.xxx.fr/error.log
</VirtualHost>
and this the common config i had into conf-enabled:
SSLInsecureRenegotiation off
SSLUseStapling on
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
SSLSessionTickets off
SSLStrictSNIVHostCheck On
SSLHonorCipherOrder on
SSLCompression off
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
If you have some hints to help debugging this, because actually i just
set LogLevel to 8 but i don't have something interesting...
** Changed in: apache2 (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802630
Title:
apache ssl auth failed in renegotiation
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1802630/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
