hi sergio, test with selfsign if i create selfsign there is no problem, because no chain no ocsp_uri inside ther cert.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - :~$ openssl s_client -showcerts -connect localhorst.org:443 :~$ vim localhorst.org.crt -----BEGIN CERTIFICATE----- MIIGXTCCBUWgAwIBAgISBCNdJoHGg0NSqEXm0XRZadzOMA0GCSqGSIb3DQEBCwUA [...] aW0N0xphYg5wtFU6uggKYxYBVRoqhn0D264eEYOeQt9MmHy2cD2y3MfB7OE4xT12 xA== -----END CERTIFICATE----- :~$ openssl x509 -in localhorst.org.crt -noout -ocsp_uri http://r3.o.lencr.org the ocsp_uri is comming from the lets encryt CA. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - when i am using selfsign. i create it in that way SERVER=own.localhorst.org openssl genrsa -out $SERVER.nopasskey 4096 openssl req -new -key $SERVER.nopasskey -out $SERVER.csr openssl x509 -req -days 365 -in $SERVER.csr -signkey $SERVER.nopasskey -out $SERVER.crt :~$ openssl x509 -in own.localhorst.org.crt -noout -ocsp_uri -> no outlay :~$ openssl x509 -text -in own.localhorst.org.crt Issuer: C = DE, ST = NRW, L = Cologne, O = localhorst, OU = localhorst, CN = own.localhorst.org Subject: C = DE, ST = NRW, L = Cologne, O = localhorst, OU = localhorst, CN = own.localhorst.org -> no chain - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - :~# vim /etc/hosts 127.0.0.1 proxy.localhorst.org 127.0.0.2 own.localhorst.org :~# sh /usr/share/doc/apache2/examples/setup-instance own :~# sh /usr/share/doc/apache2/examples/setup-instance proxy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i create a https apache :~$ vim /etc/apache2-own/sites-enabled/own.conf <VirtualHost 127.0.0.2:443> ServerName own.localhorst.org SSLEngine On SSLCertificateFile /etc/apache2-own/ssl/own.localhorst.org.crt SSLCertificateKeyFile /etc/apache2-own/ssl/own.localhorst.org.nopasskey DocumentRoot /var/www/html-own <Directory /var/www/html-own> DirectoryIndex index.html Options -Indexes AllowOverride None Require all granted </Directory> #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/own_error.log CustomLog ${APACHE_LOG_DIR}/own_access.log combined </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet - - - - - - - - - - - - - - - - - - - - - - - - - :~# mkdir /var/www/html-own :~# vim /var/www/html-own/index.html own :~# curl -k https://own.localhorst.org own - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - and a proxy apache :~# vim /etc/apache2-proxy/sites-enabled/000-default.conf <VirtualHost 127.0.0.1:80> ServerName proxy.localhorst.org ProxyPreserveHost Off ProxyRequests Off SSLProxyEngine On SSLProxyVerify require SSLProxyCheckPeerName On SSLProxyCheckPeerExpire On SSLProxyVerifyDepth 0 SSLProxyCACertificateFile /etc/apache2-own/ssl/own.localhorst.org.crt SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384 SSLProxyProtocol -all +TLSv1.2 ProxyPass / https://own.localhorst.org/ LogLevel debug CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common </VirtualHost> :~# curl http://proxy.localhorst.org own conclusion so far with self sign no ocsp entry and no chain there is no problem. ------------------------------------------------------------------------- i tryed out a easy way with entrys in :~# vim /etc/ssl/openssl.cnf [...] authorityInfoAccess=OCSP;URI:http://r3.o.lencr.org/ [...] on severall "places" to get a ocsp_uri inside the self sign cert created like above. but with no luck. to create a complete rootCA with working ocsp responder no idea so far. regard horst -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930430 Title: Apache2 Certificate Chain Verification within Proxy not Working after dist-upgrade to focal To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1930430/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
