Accepted, but I wonder if it's worth testing that the regular non-proxy case OCSP check is still working correctly (for the various good/revoked/unknown/unreachable responses), as it'd be fairly disastrous from a security perspective if that regressed due to this update. Could this be done before landing this into focal-updates please?
** Description changed: [Impact] - * Due to https://bz.apache.org/bugzilla/show_bug.cgi?id=63679 the - Online Certificate Status Protocol (OCSP) fails in proxy mode. - - * The fix is simple (the wrong context was checked) and is upstream for - a while without further changes. - - * Backporting that fix [1] resolves the use case + * Due to https://bz.apache.org/bugzilla/show_bug.cgi?id=63679 the + Online Certificate Status Protocol (OCSP) fails in proxy mode. + + * The fix is simple (the wrong context was checked) and is upstream for + a while without further changes. + + * Backporting that fix [1] resolves the use case [1]: https://github.com/apache/httpd/commit/c11b1cd3b11f [Test Plan] - * Autopkgtest plus the steps that were outlined in comment 8 & 9. - + * Autopkgtest plus the steps that were outlined in comment 8 & 9. + + * [racb] Also see the request for further testing in comment 14. [Where problems could occur] - * Apache does many things, but the change "only" affects the ssl - engine. Therefore unexpected problems would be around any sort - of ssl activity. - But the way the change works is actually ont he SSLVerify path, - so it comes down to "making ssl connections" not e.g. later SSL - transmission behavior or throughtput. + * Apache does many things, but the change "only" affects the ssl + engine. Therefore unexpected problems would be around any sort + of ssl activity. + But the way the change works is actually ont he SSLVerify path, + so it comes down to "making ssl connections" not e.g. later SSL + transmission behavior or throughtput. [Other Info] - - * If we manage to get a certbot system up on canonistack (as I did in - the past) to hit this issue we will use that testbed instead of the - local tests. - + + * If we manage to get a certbot system up on canonistack (as I did in + the past) to hit this issue we will use that testbed instead of the + local tests. ---- Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal After dist-upgrade bionic -> focal and Apache Update from: 2.4.29-1ubuntu4.14 to: 2.4.41-4ubuntu3.1 Overall I found a hint in https://downloads.apache.org/httpd/CHANGES_2.4 [...] *) mod_ssl: OCSP does not apply to proxy mode. PR 63679. [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic] [...] https://bz.apache.org/bugzilla/show_bug.cgi?id=63679 Backported to 2.4.x (r1872226), will be in the next release. https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=markup&pathrev=1872226 -> This is part of 2.4.42 <- and a overall Question is can you please also backport that Version from ssl_engine_kernel.c in your 2.4.41-4ubuntu3.1 Apache? My Further on investigation. I Create a new VM with 20.04 an compile Apache :~$ apt-get source apache2 The Only thing i do is to replace :~$ apache2-2.4.41/modules/ssl/ssl_engine_kernel.c with the downloaded Version from upstream Apache https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?revision=1872226&view=co&pathrev=1872226 The *.deb Packages i Saved away. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Reproduce the Error Create a New VM with 20.04 :~# apt-get install apache2 :~# mkdir /etc/apache2/ssl :~# vim /etc/apache2/ssl/letsencryt.crt in letsencryt.crt has only the intermediate ans rootCA from letsencryt - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - :~# vim /etc/apache2/sites-enabled/000-default.conf <VirtualHost 127.0.0.1:80> ServerAdmin w...@localhorst.org ServerName localhost ProxyPreserveHost Off ProxyRequests Off SSLProxyEngine On SSLProxyVerify require SSLProxyCheckPeerName On SSLProxyCheckPeerExpire On SSLProxyVerifyDepth 2 SSLProxyCACertificateFile ssl/letsencryt.crt SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384 SSLProxyProtocol -all +TLSv1.2 ProxyPass / https://localhorst.org/ LogLevel debug CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common </VirtualHost> :~# vim /etc/apache2/apache2.conf LogLevel debug :~# a2enmod proxy_http ssl :~# systemctl restart apache2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I Create a local Firewall for better overview Block outgoing Traffic - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The Proxy crashed because -> connecting to OCSP responder. With the Apache Version within bionic this does not happend. There is no connection to the OCSP responder. :~# curl http://127.0.0.1:80/ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Proxy Error</title> </head><body> <h1>Proxy Error</h1> The proxy server could not handle the request<p>Reason: <strong>Error during SSL Handshake with remote server</strong></p><p /> <hr> <address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address> </body></html> :~# tail -f /var/log/apache2/error.log [Tue Jun 01 14:04:11.286448 2021] [authz_core:debug] [pid 6009:tid 140286852331264] mod_authz_core.c(845): [client 127.0.0.1:47958] AH01628: authorization result: granted (no directives) [Tue Jun 01 14:04:11.286530 2021] [proxy:debug] [pid 6009:tid 140286852331264] mod_proxy.c(1253): [client 127.0.0.1:47958] AH01143: Running scheme https handler (attempt 0) [Tue Jun 01 14:04:11.286549 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (localhorst.org) [Tue Jun 01 14:04:11.286588 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2379): [client 127.0.0.1:47958] AH00944: connecting https://localhorst.org/ to localhorst.org:443 [Tue Jun 01 14:04:11.288378 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2588): [client 127.0.0.1:47958] AH00947: connected / to localhorst.org:443 [Tue Jun 01 14:04:11.318587 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(3054): AH02824: HTTPS: connection established with 94.130.99.225:443 (localhorst.org) [Tue Jun 01 14:04:11.318697 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(3240): AH00962: HTTPS: connection complete to 94.130.99.225:443 (localhorst.org) [Tue Jun 01 14:04:11.318726 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH01964: Connection to child 0 established (server localhost:80) [Tue Jun 01 14:04:11.368501 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=DST Root CA X3,O=Digital Signature Trust Co. / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 44AFB080D6A327BA893039862EF8406B / notbefore: Sep 30 21:12:19 2000 GMT / notafter: Sep 30 14:01:15 2021 GMT] [Tue Jun 01 14:04:11.369207 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=R3,O=Let's Encrypt,C=US / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 400175048314A4C8218C84A90C16CDDF / notbefore: Oct 7 19:21:40 2020 GMT / notafter: Sep 29 19:21:40 2021 GMT] [Tue Jun 01 14:04:11.369934 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_ocsp.c(76): [remote 94.130.99.225:443] AH01918: no OCSP responder specified in certificate and no default configured [Tue Jun 01 14:04:11.370521 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT] [Tue Jun 01 14:04:11.517640 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_util_ocsp.c(96): [remote 94.130.99.225:443] AH01973: connecting to OCSP responder 'r3.o.lencr.org' [Tue Jun 01 14:04:11.521410 2021] [ssl:error] [pid 6009:tid 140286852331264] (101)Network is unreachable: [remote 94.130.99.225:443] AH01974: could not connect to OCSP responder 'r3.o.lencr.org' [Tue Jun 01 14:04:11.521875 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT] [Tue Jun 01 14:04:11.529291 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH02003: SSL Proxy connect failed [Tue Jun 01 14:04:11.529591 2021] [ssl:info] [pid 6009:tid 140286852331264] SSL Library Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [Tue Jun 01 14:04:11.529708 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH01998: Connection closed to child 0 with abortive shutdown (server localhost:80) [Tue Jun 01 14:04:11.529999 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH01997: SSL handshake failed: sending 502 [Tue Jun 01 14:04:11.530169 2021] [proxy:error] [pid 6009:tid 140286852331264] (20014)Internal error (specific information not available): [client 127.0.0.1:47958] AH01084: pass request body failed to 94.130.99.225:443 (localhorst.org) [Tue Jun 01 14:04:11.530288 2021] [proxy:error] [pid 6009:tid 140286852331264] [client 127.0.0.1:47958] AH00898: Error during SSL Handshake with remote server returned by / [Tue Jun 01 14:04:11.530379 2021] [proxy_http:error] [pid 6009:tid 140286852331264] [client 127.0.0.1:47958] AH01097: pass request body failed to 94.130.99.225:443 (localhorst.org) from 127.0.0.1 () [Tue Jun 01 14:04:11.530482 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2340): AH00943: HTTPS: has released connection for (localhorst.org) :~# tail -f /var/log/ulog/syslogemu.log Jun 1 14:04:12 devubu2004 fw-net REJECT IN= OUT=enp0s3 MAC= SRC=10.0.2.15 DST=95.101.91.160 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=59096 DF PROTO=TCP SPT=52194 DPT=80 SEQ=2173056195 ACK=0 WINDOW=64240 SYN URGP=0 UID=33 GID=33 MARK=0 Jun 1 14:04:12 devubu2004 fw-net REJECT IN= OUT=enp0s3 MAC= SRC=10.0.2.15 DST=95.101.91.146 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=32240 DF PROTO=TCP SPT=40016 DPT=80 SEQ=508673920 ACK=0 WINDOW=64240 SYN URGP=0 UID=33 GID=33 MARK=0 :~$ host r3.o.lencr.org r3.o.lencr.org is an alias for o.lencr.edgesuite.net. o.lencr.edgesuite.net is an alias for a1887.dscq.akamai.net. a1887.dscq.akamai.net has address 95.101.91.160 a1887.dscq.akamai.net has address 95.101.91.146 a1887.dscq.akamai.net has IPv6 address 2a02:26f0:10c::5f65:5a12 a1887.dscq.akamai.net has IPv6 address 2a02:26f0:10c::5f65:5ac0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Try out open the local Firewall :~# vim /etc/shorewall/rules [...] ACCEPT $FW net:95.101.91.160 tcp http ACCEPT $FW net:95.101.91.146 tcp http :~# systemctl reload shorewall - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Does not help crashed with the Following Error :~$ curl http://127.0.0.1:80/ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Proxy Error</title> </head><body> <h1>Proxy Error</h1> The proxy server could not handle the request<p>Reason: <strong>Error during SSL Handshake with remote server</strong></p><p /> <hr> <address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address> </body></html> :~# tail -f /var/log/apache2/error.log [Tue Jun 01 14:08:02.137740 2021] [authz_core:debug] [pid 6009:tid 140286835545856] mod_authz_core.c(845): [client 127.0.0.1:47974] AH01628: authorization result: granted (no directives) [Tue Jun 01 14:08:02.137793 2021] [proxy:debug] [pid 6009:tid 140286835545856] mod_proxy.c(1253): [client 127.0.0.1:47974] AH01143: Running scheme https handler (attempt 0) [Tue Jun 01 14:08:02.137803 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (localhorst.org) [Tue Jun 01 14:08:02.137810 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2379): [client 127.0.0.1:47974] AH00944: connecting https://localhorst.org/ to localhorst.org:443 [Tue Jun 01 14:08:02.137817 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2588): [client 127.0.0.1:47974] AH00947: connected / to localhorst.org:443 [Tue Jun 01 14:08:02.167485 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(3054): AH02824: HTTPS: connection established with 94.130.99.225:443 (localhorst.org) [Tue Jun 01 14:08:02.168160 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(3240): AH00962: HTTPS: connection complete to 94.130.99.225:443 (localhorst.org) [Tue Jun 01 14:08:02.168655 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH01964: Connection to child 0 established (server localhost:80) [Tue Jun 01 14:08:02.216198 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=DST Root CA X3,O=Digital Signature Trust Co. / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 44AFB080D6A327BA893039862EF8406B / notbefore: Sep 30 21:12:19 2000 GMT / notafter: Sep 30 14:01:15 2021 GMT] [Tue Jun 01 14:08:02.217565 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=R3,O=Let's Encrypt,C=US / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 400175048314A4C8218C84A90C16CDDF / notbefore: Oct 7 19:21:40 2020 GMT / notafter: Sep 29 19:21:40 2021 GMT] [Tue Jun 01 14:08:02.218976 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_ocsp.c(76): [remote 94.130.99.225:443] AH01918: no OCSP responder specified in certificate and no default configured [Tue Jun 01 14:08:02.219265 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT] [Tue Jun 01 14:08:02.358471 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(96): [remote 94.130.99.225:443] AH01973: connecting to OCSP responder 'r3.o.lencr.org' [Tue Jun 01 14:08:02.386985 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(124): [remote 94.130.99.225:443] AH01975: sending request to OCSP responder [Tue Jun 01 14:08:02.579215 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Server: nginx [Tue Jun 01 14:08:02.581036 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Content-Type: application/ocsp-response [Tue Jun 01 14:08:02.581749 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Content-Length: 503 [Tue Jun 01 14:08:02.581822 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: ETag: "17C919F5E6C36BB41BEAF2C8A1BD012BBFDC3157CAC59588FBFDAE973D089853" [Tue Jun 01 14:08:02.581843 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Last-Modified: Mon, 31 May 2021 09:00:00 UTC [Tue Jun 01 14:08:02.581859 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Cache-Control: public, no-transform, must-revalidate, max-age=43160 [Tue Jun 01 14:08:02.581875 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Expires: Wed, 02 Jun 2021 02:07:22 GMT [Tue Jun 01 14:08:02.581891 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Date: Tue, 01 Jun 2021 14:08:02 GMT [Tue Jun 01 14:08:02.581906 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Connection: close [Tue Jun 01 14:08:02.581922 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(282): [remote 94.130.99.225:443] AH01987: OCSP response: got 503 bytes, 503 total [Tue Jun 01 14:08:02.583980 2021] [ssl:error] [pid 6009:tid 140286835545856] AH01924: Bad OCSP responder answer (bad nonce) [Tue Jun 01 14:08:02.585222 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT] [Tue Jun 01 14:08:02.586201 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH02003: SSL Proxy connect failed [Tue Jun 01 14:08:02.587160 2021] [ssl:info] [pid 6009:tid 140286835545856] SSL Library Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [Tue Jun 01 14:08:02.587226 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH01998: Connection closed to child 0 with abortive shutdown (server localhost:80) [Tue Jun 01 14:08:02.587272 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH01997: SSL handshake failed: sending 502 [Tue Jun 01 14:08:02.587354 2021] [proxy:error] [pid 6009:tid 140286835545856] (20014)Internal error (specific information not available): [client 127.0.0.1:47974] AH01084: pass request body failed to 94.130.99.225:443 (localhorst.org) [Tue Jun 01 14:08:02.587391 2021] [proxy:error] [pid 6009:tid 140286835545856] [client 127.0.0.1:47974] AH00898: Error during SSL Handshake with remote server returned by / [Tue Jun 01 14:08:02.587407 2021] [proxy_http:error] [pid 6009:tid 140286835545856] [client 127.0.0.1:47974] AH01097: pass request body failed to 94.130.99.225:443 (localhorst.org) from 127.0.0.1 () [Tue Jun 01 14:08:02.587424 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2340): AH00943: HTTPS: has released connection for (localhorst.org) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Close the Firewall Again :~# vim /etc/shorewall/rules [...] #ACCEPT $FW net:95.101.91.160 tcp http #ACCEPT $FW net:95.101.91.146 tcp http :~# systemctl reload shorewall - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Installed the self compiled apache Version withe the Pateched ssl_engine_kernel.c Version :~# cd /home/vagrant/deb/ :~# dpkg -i apache2_2.4.41-4ubuntu3.1_amd64.deb apache2-bin_2.4.41-4ubuntu3.1_amd64.deb apache2-data_2.4.41-4ubuntu3.1_all.deb apache2-utils_2.4.41-4ubuntu3.1_amd64.deb :~# systemctl stop apache2 :~# systemctl start apache2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Apache Proxy is working again as expected :~# curl http://127.0.0.1:80/ -> webite is comming :~# tail -f /var/log/apache2/error.log [Tue Jun 01 14:11:47.953485 2021] [authz_core:debug] [pid 7437:tid 140452002883328] mod_authz_core.c(845): [client 127.0.0.1:47980] AH01628: authorization result: granted (no directives) [Tue Jun 01 14:11:47.953554 2021] [proxy:debug] [pid 7437:tid 140452002883328] mod_proxy.c(1253): [client 127.0.0.1:47980] AH01143: Running scheme https handler (attempt 0) [Tue Jun 01 14:11:47.953570 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (localhorst.org) [Tue Jun 01 14:11:47.953576 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2379): [client 127.0.0.1:47980] AH00944: connecting https://localhorst.org/ to localhorst.org:443 [Tue Jun 01 14:11:47.955415 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2588): [client 127.0.0.1:47980] AH00947: connected / to localhorst.org:443 [Tue Jun 01 14:11:47.985343 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(3054): AH02824: HTTPS: connection established with 94.130.99.225:443 (localhorst.org) [Tue Jun 01 14:11:47.985479 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(3240): AH00962: HTTPS: connection complete to 94.130.99.225:443 (localhorst.org) [Tue Jun 01 14:11:47.985505 2021] [ssl:info] [pid 7437:tid 140452002883328] [remote 94.130.99.225:443] AH01964: Connection to child 0 established (server localhost:80) [Tue Jun 01 14:11:48.034945 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(1759): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=DST Root CA X3,O=Digital Signature Trust Co. / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 44AFB080D6A327BA893039862EF8406B / notbefore: Sep 30 21:12:19 2000 GMT / notafter: Sep 30 14:01:15 2021 GMT] [Tue Jun 01 14:11:48.035920 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(1759): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=R3,O=Let's Encrypt,C=US / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 400175048314A4C8218C84A90C16CDDF / notbefore: Oct 7 19:21:40 2020 GMT / notafter: Sep 29 19:21:40 2021 GMT] [Tue Jun 01 14:11:48.036745 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(1759): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT] [Tue Jun 01 14:11:48.067180 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(2249): [remote 94.130.99.225:443] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) [Tue Jun 01 14:11:48.068469 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_util_ssl.c(476): AH02412: [localhost:80] Cert matches for name 'localhorst.org' [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT] [Tue Jun 01 14:11:48.227809 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2340): AH00943: https: has released connection for (localhorst.org) Regards Horst -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930430 Title: Apache2 Certificate Chain Verification within Proxy not Working after dist-upgrade to focal To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1930430/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
