hi sergio, my be i have a solution with selfsign.
over all i recreate the apache packages with the new verion 2.4.41-4ubuntu3.3 and use only the patch with the tow rows involved. then i found a descripion to create a rootCA with ocsp inside https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html i copy and paste it straight forward and got the files enduser-example.com.key enduser-example.com.crt enduser-example.com.chain and in the cert is a ocsp uri :~# openssl x509 -in enduser-example.com.crt -noout -ocsp_uri http://pki.sparklingca.com/ocsp/ http://pki.backup.com/ocsp/ at that point these ocsp responders dose not exists. i reconfigure the apache from above with that selfsign cert :~# vim /etc/apache2-own/sites-available/own.conf <VirtualHost 127.0.0.2:443> ServerName own.localhorst.org SSLEngine On SSLCertificateFile /etc/apache2-own/ssl/enduser-example.com.crt SSLCertificateChainFile /etc/apache2-own/ssl/enduser-example.com.chain SSLCertificateKeyFile /etc/apache2-own/ssl/enduser-example.com.key DocumentRoot /var/www/html-own <Directory /var/www/html-own> DirectoryIndex index.html Options -Indexes AllowOverride None Require all granted </Directory> #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/own_error.log CustomLog ${APACHE_LOG_DIR}/own_access.log combined </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - :~# vim /etc/apache2-proxy/sites-enabled/000-default.conf <VirtualHost 127.0.0.1:80> ServerName proxy.localhorst.org ProxyPreserveHost Off ProxyRequests Off SSLProxyEngine On SSLProxyVerify require SSLProxyCheckPeerName On SSLProxyCheckPeerExpire On SSLProxyVerifyDepth 2 SSLProxyCACertificateFile /etc/apache2-own/ssl/enduser-example.com.chain SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384 SSLProxyProtocol -all +TLSv1.2 ProxyPass / https://own.localhorst.org/ LogLevel debug CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common </VirtualHost> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - :~# curl http://proxy.localhorst.org <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Proxy Error</title> </head><body> <h1>Proxy Error</h1> The proxy server could not handle the request<p>Reason: <strong>Error during SSL Handshake with remote server</strong></p><p /> <hr> <address>Apache/2.4.41 (Ubuntu) Server at proxy.localhorst.org Port 80</address> </body></html> :~# cat /var/log/apache2-proxy/error.log [Fri Jul 02 15:59:51.503320 2021] [ssl:debug] [pid 61838:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE [Fri Jul 02 15:59:51.504788 2021] [ssl:debug] [pid 61838:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: OU=zzz,O=loca,C=DE,ST=NRW,CN=Localhorst intermediat CA [Fri Jul 02 15:59:51.520258 2021] [ssl:debug] [pid 61839:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE [Fri Jul 02 15:59:51.520282 2021] [ssl:debug] [pid 61839:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: OU=zzz,O=loca,C=DE,ST=NRW,CN=Localhorst intermediat CA [Fri Jul 02 15:59:51.521114 2021] [mpm_event:notice] [pid 61839:tid 140404689173568] AH00489: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations [Fri Jul 02 15:59:51.521138 2021] [core:notice] [pid 61839:tid 140404689173568] AH00094: Command line: '/usr/sbin/apache2 -d /etc/apache2-proxy' [Fri Jul 02 15:59:51.527963 2021] [proxy:debug] [pid 61840:tid 140404689173568] proxy_util.c(1933): AH00925: initializing worker https://own.localhorst.org/ shared [Fri Jul 02 15:59:51.527991 2021] [proxy:debug] [pid 61840:tid 140404689173568] proxy_util.c(1990): AH00927: initializing worker https://own.localhorst.org/ local [Fri Jul 02 15:59:51.528002 2021] [proxy:debug] [pid 61840:tid 140404689173568] proxy_util.c(2024): AH00930: initialized pool in child 61840 for (own.localhorst.org) min=0 max=25 smax=25 [Fri Jul 02 15:59:51.528973 2021] [proxy:debug] [pid 61841:tid 140404689173568] proxy_util.c(1933): AH00925: initializing worker https://own.localhorst.org/ shared [Fri Jul 02 15:59:51.529009 2021] [proxy:debug] [pid 61841:tid 140404689173568] proxy_util.c(1990): AH00927: initializing worker https://own.localhorst.org/ local [Fri Jul 02 15:59:51.529067 2021] [proxy:debug] [pid 61841:tid 140404689173568] proxy_util.c(2024): AH00930: initialized pool in child 61841 for (own.localhorst.org) min=0 max=25 smax=25 [Fri Jul 02 15:59:58.640750 2021] [authz_core:debug] [pid 61840:tid 140404561278720] mod_authz_core.c(845): [client 127.0.0.1:48808] AH01628: authorization result: granted (no directives) [Fri Jul 02 15:59:58.640838 2021] [proxy:debug] [pid 61840:tid 140404561278720] mod_proxy.c(1253): [client 127.0.0.1:48808] AH01143: Running scheme https handler (attempt 0) [Fri Jul 02 15:59:58.640859 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (own.localhorst.org) [Fri Jul 02 15:59:58.640865 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(2379): [client 127.0.0.1:48808] AH00944: connecting https://own.localhorst.org/ to own.localhorst.org:443 [Fri Jul 02 15:59:58.640995 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(2588): [client 127.0.0.1:48808] AH00947: connected / to own.localhorst.org:443 [Fri Jul 02 15:59:58.641077 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(3054): AH02824: HTTPS: connection established with 127.0.0.2:443 (own.localhorst.org) [Fri Jul 02 15:59:58.641096 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(3240): AH00962: HTTPS: connection complete to 127.0.0.2:443 (own.localhorst.org) [Fri Jul 02 15:59:58.641103 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH01964: Connection to child 0 established (server proxy.localhorst.org:80) [Fri Jul 02 15:59:58.654018 2021] [ssl:debug] [pid 61840:tid 140404561278720] ssl_engine_kernel.c(1764): [remote 127.0.0.2:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE / issuer: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE / serial: 1C45449239692242E4EB5F7124ECD2B1F404979B / notbefore: Jul 2 14:53:28 2021 GMT / notafter: Jul 2 14:53:28 2026 GMT] [Fri Jul 02 15:59:58.654233 2021] [ssl:debug] [pid 61840:tid 140404561278720] ssl_engine_kernel.c(1764): [remote 127.0.0.2:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: OU=zzz,O=loca,C=DE,ST=NRW,CN=Localhorst intermediat CA / issuer: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE / serial: 1000 / notbefore: Jul 2 14:56:01 2021 GMT / notafter: Jul 2 14:56:01 2023 GMT] [Fri Jul 02 15:59:59.101482 2021] [ssl:error] [pid 61840:tid 140404561278720] (EAI 2)Name or service not known: [remote 127.0.0.2:443] AH01972: could not resolve address of OCSP responder pki.sparklingca.com [Fri Jul 02 15:59:59.101790 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH02276: Certificate Verification: Error (50): application verification failure [subject: OU=zzz,O=loca,C=DE,ST=NRW,CN=Localhorst intermediat CA / issuer: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE / serial: 1000 / notbefore: Jul 2 14:56:01 2021 GMT / notafter: Jul 2 14:56:01 2023 GMT] [Fri Jul 02 15:59:59.102021 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH02003: SSL Proxy connect failed [Fri Jul 02 15:59:59.102080 2021] [ssl:info] [pid 61840:tid 140404561278720] SSL Library Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [Fri Jul 02 15:59:59.102099 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH01998: Connection closed to child 0 with abortive shutdown (server proxy.localhorst.org:80) [Fri Jul 02 15:59:59.102185 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH01997: SSL handshake failed: sending 502 [Fri Jul 02 15:59:59.102202 2021] [proxy:error] [pid 61840:tid 140404561278720] (20014)Internal error (specific information not available): [client 127.0.0.1:48808] AH01084: pass request body failed to 127.0.0.2:443 (own.localhorst.org) [Fri Jul 02 15:59:59.102226 2021] [proxy:error] [pid 61840:tid 140404561278720] [client 127.0.0.1:48808] AH00898: Error during SSL Handshake with remote server returned by / [Fri Jul 02 15:59:59.102239 2021] [proxy_http:error] [pid 61840:tid 140404561278720] [client 127.0.0.1:48808] AH01097: pass request body failed to 127.0.0.2:443 (own.localhorst.org) from 127.0.0.1 () [Fri Jul 02 15:59:59.102252 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(2340): AH00943: HTTPS: has released connection for (own.localhorst.org) - - - - - - - - - - - - - - - - - - - - - - - - - install the patched apache :~# dpkg -i apache2_2.4.41-4ubuntu3.3_amd64.deb apache2-bin_2.4.41-4ubuntu3.3_amd64.deb apache2-data_2.4.41-4ubuntu3.3_all.deb apache2-utils_2.4.41-4ubuntu3.3_amd64.deb :~# systemctl restart [email protected] :~# systemctl restart [email protected] :~# curl http://proxy.localhorst.org own worked for me without an error hopfully this will help to get some more clear. reagrads horst -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930430 Title: Apache2 Certificate Chain Verification within Proxy not Working after dist-upgrade to focal To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1930430/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
