Apache SSL Proxy can't find client certificate?
Solution 1
You need to configure Apache to use that certificate file as an authentication mechanism to its proxy backend.
Combine the .pem
and .key
into one file, and point to it with:
SSLProxyMachineCertificateFile /path/to/combined.pem
Solution 2
I had the same errors. There might be a problem with a configured peer name not matching the current ProxyPass
directive. In effect I access the service by localhost. The following config lines worked for me:
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyPass "/api/" "https://localhost:18443/api/"
(thanks to the comment from @ajmurmann)
But the message Proxy client certificate callback: (:443) downstream server wanted client certificate but none are configured
still is in the error log, but the requests are working.
Solution 3
Imho what he is really asking for, is an Apache that proxies the SSL requests to an endpoint server, presumably an application server, that does SSL client certificate authentication...
The SSLProxyMachineCertificateFile will not help you in this case as this file contains a certificate by which the apache server authenticates itself with the application server... you don't want that: you want the calling client to use his certificate
Presumably it should be possible for Apache to pass the certificate info it obtains on to the app server, e.g. via AJP, but I haven't been able to get this working so far. I will try and update this answer if I get it to work...
Related videos on Youtube
ajmurmann
Updated on September 18, 2022Comments
-
ajmurmann over 1 year
My web servers need to integrate with a 3rd party's server that sits behind a firewall. In order to get through the firewall all requests have to come from the same IP address and be authenticated via SSL. So I set up a machine that's supposed to work as a proxy and forward all traffic via SSL to the 3rd party server.
I set up the proxy with the certificates and matching key files and can make a successful request to the 3rd party service via CURL just fine, using the certificate and key file. I sey up a virtual host on Apache to pass these requests through, but keep getting errors saying that the SSL handshake with the remote server failed. I see the following error messages in my apache logs:
Proxy client certificate callback: (:443) downstream server wanted client certificate but none are configured [Sun Jul 29 01:40:48 2012] [error] (502)Unknown error 502: proxy: pass request body failed to <3rd party IP>:18443 (<3rd party URL>)
[Sun Jul 29 01:40:48 2012] [error] [client ] proxy: Error during SSL Handshake with remote server returned by /My apache virtual host configuration looks as follows:
<VirtualHost *:18443> ServerName <Proxy IP> SSLEngine on SSLProxyEngine On SSLCertificateFile /etc/apache2/ssl/my_server.pem SSLCertificateKeyFile /etc/apache2/ssl/my_server.key SSLProxyCACertificatePath /etc/ssl/certs ProxyRequests Off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / https://<3rd party server address>:18443 ProxyPassReverse / https://<3rd party server address>:18443 </VirtualHost>
Thank you! Any help is highly appreciated!
-
user3023802 almost 12 yearsJust a hunch, but can you post the config for whatever is listening on :443? Based on your log snippet something is trying to establish an SSL connection on :443 and then getting redirected to :18443.
-
ajmurmann almost 12 yearsI am not sure what's up with that. I made the request via cURL to :18443. So I am not sure why it comes in on :443. I also checked with netstat and it's apache listening on that port. However, I didn't change anything (knowingly) about responses on :443. The apache.conf doesn't mention anything about it either.
-
-
ajmurmann almost 12 yearsThank you very much! That fixed that error. However, now I am getting "502)Unknown error 502: proxy: pass request body failed". As you recommended elsewhere, I turned off SSLProxyCheckPeerCN, but to effect.
-
ravi yarlagadda almost 12 years@ajmurmann Hmm. Try also changing your
ProxyPass
to add a trailing slash, as well:ProxyPass / https://<3rd party server address>:18443/
-
ajmurmann almost 12 yearsThanks for that as well. However, I already tried that based on you advise on another thread.
-
Steve Goodman about 11 yearsAccording to this thread on the Apache mailing list, it's not possible to forward the client cert through a proxy to the end server. apache-http-server.18135.n6.nabble.com/…
-
user207421 almost 3 yearsIt is not possible for Apache to do as you presume is possible, as it doesn't have the client's private key. You will never get this to work: and you haven't in 9 years.