Bug#441404: apache2: SSLCertificateChainFile also does not work with reverse proxy

To: Stefan Fritsch <sf@sfritsch.de>
Cc: 441404@bugs.debian.org
Subject: Bug#441404: apache2: SSLCertificateChainFile also does not work with reverse proxy
From: "Jeffrey B. Green" <jeff@kikisoso.org>
Date: Mon, 31 Dec 2007 09:54:03 -0500
Message-id: <[🔎] 4779028B.3030206@kikisoso.org>
Reply-to: "Jeffrey B. Green" <jeff@kikisoso.org>, 441404@bugs.debian.org
In-reply-to: <[🔎] 200712302348.21437.sf@sfritsch.de>
References: <[🔎] 20071220152748.22281.23070.reportbug@siddhi.kikisoso.org> <[🔎] 200712302348.21437.sf@sfritsch.de>

Stefan Fritsch wrote:
> On Thursday 20 December 2007, Jeff Green wrote:
>> The SSLCertificateChainFile does not work, but the
>> SSLCACertificatePath does in a reverse proxy topology. The error
>> reported here is in the actual server, i.e. not the proxy. The path
>> used is /etc/ssl/certs, and the chain file is
>> /etc/ssl/certs/ca-certificates.crt.
>>
>> However, the proxy also uses SSLCACertificatePath and it works.
> 
> I don't understand your configuration. Do you get an error message?
> Can you be more verbose, e.g. provide the output of
> 
> cd /etc/apache2 ; egrep -ir '(<|name)virtualhost|SSL(CA)?Certificate' *enabled conf.d *conf
> 
> on both systems?

On the proxy machine the output is:

pd.conf             ports.conf       ssl/
root@noisy:/etc/apache2[1041] tificate' *enabled conf.d *conf           <
sites-enabled/root:<VirtualHost 192.168.2.50:80>
sites-enabled/root:<VirtualHost 192.168.2.52:80>
sites-enabled/root:NameVirtualHost 192.168.2.7:80
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:80>
sites-enabled/root:<VirtualHost 192.168.2.7:443>
sites-enabled/root:     SSLCertificateFile
/etc/apache2/ssl/secure_karmecholing_org.crt
sites-enabled/root:     SSLCertificateKeyFile
/etc/apache2/ssl/secure.karmecholing.org-key.pem
sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:#NameVirtualHost 192.168.2.7:10445
sites-enabled/root:<VirtualHost 192.168.2.7:10445>
sites-enabled/root:     SSLCertificateFile
/etc/apache2/ssl/lists.kikisoso.org.cert.pem
sites-enabled/root:     SSLCertificateKeyFile
/etc/apache2/ssl/lists.kikisoso.org.key.pem
sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:<VirtualHost 192.168.2.7:10443>
sites-enabled/root:     SSLCertificateFile
/etc/apache2/ssl/webmail.kikisoso.org.cert.pem
sites-enabled/root:     SSLCertificateKeyFile
/etc/apache2/ssl/webmail.kikisoso.org.key.pem
sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:<VirtualHost 192.168.2.7:10444>
sites-enabled/root:     SSLCertificateFile
/etc/apache2/ssl/webmail.tailofthetiger.org-cert.pem
sites-enabled/root:     SSLCertificateKeyFile
/etc/apache2/ssl/webmail.tailofthetiger.org-key.pem
sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs
sites-enabled/root:<VirtualHost 192.168.2.7:10446>
sites-enabled/root:     SSLCertificateFile
/etc/apache2/ssl/www.kikisoso.org.cert.pem
sites-enabled/root:     SSLCertificateKeyFile
/etc/apache2/ssl/www.kikisoso.org.key.pem
sites-enabled/root:     SSLCACertificatePath /etc/ssl/certs
sites-enabled/sympa:<VirtualHost 192.168.2.50:10445>
sites-enabled/sympa:    SSLCertificateFile
/etc/apache2/ssl/lists.kikisoso.org.cert.pem
sites-enabled/sympa:    SSLCertificateKeyFile
/etc/apache2/ssl/lists.kikisoso.org.key.pem
sites-enabled/sympa:    SSLCACertificatePath /etc/ssl/certs
sites-enabled/squirrelmail:<VirtualHost 192.168.2.52:443>
sites-enabled/squirrelmail:#<VirtualHost webmail.kikisoso.org:443>
sites-enabled/squirrelmail:  SSLCertificateFile
/etc/apache2/ssl/webmail.kikisoso.org.cert.pem
sites-enabled/squirrelmail:  SSLCertificateKeyFile
/etc/apache2/ssl/webmail.kikisoso.org.key.pem
sites-enabled/squirrelmail:  SSLCACertificatePath /etc/ssl/certs
sites-enabled/squirrelmail:#<VirtualHost 1.2.3.4>
sites-enabled/000-default:NameVirtualHost *
sites-enabled/000-default:<VirtualHost *>
apache2.conf:# If you do not specify an ErrorLog directive within a
<VirtualHost>
apache2.conf:# logged here.  If you *do* define an error logfile for a
<VirtualHost>
ssl.conf:<VirtualHost _default_:443>
ssl.conf:#   Point SSLCertificateFile at a PEM encoded certificate.  If
ssl.conf:SSLCertificateFile /etc/apache2/ssl/www.kikisoso.org.cert.pem
ssl.conf:#SSLCertificateFile /etc/apache2/ssl.crt/server.crt
ssl.conf:#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
ssl.conf:SSLCertificateKeyFile /etc/apache2/ssl/www.kikisoso.org.key.pem
ssl.conf:#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
ssl.conf:#   Point SSLCertificateChainFile at a file containing the
ssl.conf:#   the referenced file can be the same as SSLCertificateFile
ssl.conf:#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
ssl.conf:#   Note: Inside SSLCACertificatePath you need hash symlinks
ssl.conf:SSLCACertificatePath /var/www/CA
ssl.conf:#SSLCACertificatePath /etc/apache2/ssl.crt
ssl.conf:#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
-------------------------------------------------------------------------------

On the real server, the output is:

sites-enabled/000-default:NameVirtualHost *
sites-enabled/000-default:<VirtualHost *>
sites-enabled/tott.org:<VirtualHost 192.168.2.54:80>
sites-enabled/root:#NameVirtualHost 192.168.2.5
sites-enabled/root:#<VirtualHost 192.168.2.5:80>
sites-enabled/root:<VirtualHost 192.168.2.55:80>
sites-enabled/squirrelmail:<VirtualHost 192.168.2.55:443>
sites-enabled/squirrelmail:  SSLCertificateFile
/etc/apache2/ssl/webmail.tailofthetiger.org-cert.pem
sites-enabled/squirrelmail:  SSLCertificateKeyFile
/etc/apache2/ssl/webmail.tailofthetiger.org-key.pem
sites-enabled/squirrelmail:  SSLCACertificatePath /etc/ssl/certs
sites-enabled/www.karmecholing.org:NameVirtualHost 192.168.2.5:80
sites-enabled/www.karmecholing.org:<VirtualHost 192.168.2.5:80>
sites-enabled/secure.karmecholing.org:<VirtualHost 192.168.2.53:443>
sites-enabled/secure.karmecholing.org:#   Point SSLCertificateFile at a
PEM encoded certificate.  If
sites-enabled/secure.karmecholing.org:SSLCertificateFile
/etc/apache2/ssl/secure_karmecholing_org.crt
sites-enabled/secure.karmecholing.org:SSLCertificateKeyFile
/etc/apache2/ssl/secure.karmecholing.org-key.pem
sites-enabled/secure.karmecholing.org:#   Point SSLCertificateChainFile
at a file containing the
sites-enabled/secure.karmecholing.org:#   the referenced file can be the
same as SSLCertificateFile
sites-enabled/secure.karmecholing.org:#SSLCertificateChainFile
/etc/ssl/certs/ca-certificates.crt
sites-enabled/secure.karmecholing.org:#   Note: Inside
SSLCACertificatePath you need hash symlinks
sites-enabled/secure.karmecholing.org:SSLCACertificatePath /etc/ssl/certs
apache2.conf:# If you do not specify an ErrorLog directive within a
<VirtualHost>
apache2.conf:# logged here.  If you *do* define an error logfile for a
<VirtualHost>
-----------------------------------------------------------------------------

As you can see, we have several sites. Some served directly on the proxy
server mentioned above, several on other machines.

One thing that I didn't think of before is... do the servers have to be
exclusively one way or another, i.e. using the CAcert path or using the
CAcert file? I wouldn't have thought so, but .... maybe so. When I was
trying the CAcert file, (I believe) I still had settings for other
virtual hosts set for the CAcert path.

Happy New Year,
-jeff

> 
> Cheers,
> Stefan
>

Reply to:

References:
- Bug#441404: apache2: SSLCertificateChainFile also does not work with reverse proxy
  - From: Jeff Green <jeff@kikisoso.org>
- Bug#441404: apache2: SSLCertificateChainFile also does not work with reverse proxy
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Bug#69818: Viaaaagrrrraaaa is your magic weapon
Next by Date: Bug#156972: alderman savagery
Previous by thread: Bug#441404: apache2: SSLCertificateChainFile also does not work with reverse proxy
Next by thread: exiting prefork child doesn't clear request pool
Index(es):
- Date
- Thread