You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Graham Leggett <mi...@sharp.fm> on 2019/01/05 14:10:20 UTC

AH02268: Proxy client certificate callback: downstream server wanted client certificate but none are configured

Hi all,

I am trying to connect an httpd reverse proxy to a backend tomcat, and have this particular hop protected by a client certificate.

The error I get is:

[Sat Jan 05 14:02:54.252552 2019] [ssl:warn] [pid 16448:tid 139929388369664] AH02268: Proxy client certificate callback: (jira.example.com:443) downstream server wanted client certificate but none are configured

Ok, so httpd is telling me that the tomcat has requested a client certificate (entirely true) but httpd is not configured with a client certificate.

Except httpd is configured with a client certificate, as follows:

    SSLProxyEngine on
    SSLProxyMachineCertificateFile /etc/pki/httpd/client.cert
    SSLProxyMachineCertificateChainFile /etc/pki/httpd/client.chain
    SSLProxyCACertificateFile /etc/pki/httpd/client-ca.crt
    SSLProxyVerify require
    SSLProxyVerifyDepth 3

Does this functionality work in httpd v2.4.35, or is it configured incorrectly?

(As soon as I can get this working, I would like to fix our docs to be clear how to do this)

Regards,
Graham
—

Re: AH02268: Proxy client certificate callback: downstream server wanted client certificate but none are configured

Posted by Daniel Ruggeri <dr...@primary.net>.

Hi, Graham;
   Yes, it should work fine... I use this kind of config a TON at $dayjob. It's very strange httpd would say none are configured. Is it possible the directives you've listed are in a different vhost? Maybe there are some bread crumbs with trace8 logs during start up? You could also maybe try moving all of the directives to the server level and see if we may have an unexpected merge problem.

You should at least see information about loading the key pair and what the client-side chain looks like from SSLProxyMachineCertificateChainFile on trace8.
-- 
Daniel Ruggeri

On January 5, 2019 8:10:20 AM CST, Graham Leggett <mi...@sharp.fm> wrote:
>Hi all,
>
>I am trying to connect an httpd reverse proxy to a backend tomcat, and
>have this particular hop protected by a client certificate.
>
>The error I get is:
>
>[Sat Jan 05 14:02:54.252552 2019] [ssl:warn] [pid 16448:tid
>139929388369664] AH02268: Proxy client certificate callback:
>(jira.example.com:443) downstream server wanted client certificate but
>none are configured
>
>Ok, so httpd is telling me that the tomcat has requested a client
>certificate (entirely true) but httpd is not configured with a client
>certificate.
>
>Except httpd is configured with a client certificate, as follows:
>
>    SSLProxyEngine on
>    SSLProxyMachineCertificateFile /etc/pki/httpd/client.cert
>    SSLProxyMachineCertificateChainFile /etc/pki/httpd/client.chain
>    SSLProxyCACertificateFile /etc/pki/httpd/client-ca.crt
>    SSLProxyVerify require
>    SSLProxyVerifyDepth 3
>
>Does this functionality work in httpd v2.4.35, or is it configured
>incorrectly?
>
>(As soon as I can get this working, I would like to fix our docs to be
>clear how to do this)
>
>Regards,
>Graham
>—

Re: AH02268: Proxy client certificate callback: downstream server wanted client certificate but none are configured

Posted by Rainer Jung <ra...@kippdata.de>.

Am 05.01.2019 um 15:10 schrieb Graham Leggett:
> Hi all,
> 
> I am trying to connect an httpd reverse proxy to a backend tomcat, and have this particular hop protected by a client certificate.
> 
> The error I get is:
> 
> [Sat Jan 05 14:02:54.252552 2019] [ssl:warn] [pid 16448:tid 139929388369664] AH02268: Proxy client certificate callback: (jira.example.com:443) downstream server wanted client certificate but none are configured
> 
> Ok, so httpd is telling me that the tomcat has requested a client certificate (entirely true) but httpd is not configured with a client certificate.
> 
> Except httpd is configured with a client certificate, as follows:
> 
>      SSLProxyEngine on
>      SSLProxyMachineCertificateFile /etc/pki/httpd/client.cert
>      SSLProxyMachineCertificateChainFile /etc/pki/httpd/client.chain
>      SSLProxyCACertificateFile /etc/pki/httpd/client-ca.crt
>      SSLProxyVerify require
>      SSLProxyVerifyDepth 3
> 
> Does this functionality work in httpd v2.4.35, or is it configured incorrectly?
> 
> (As soon as I can get this working, I would like to fix our docs to be clear how to do this)

Since you mention 2.4.35 explicitly, the following changelog entries 
come to my mind:

2.4.37

   *) mod_ssl: Correctly merge configurations that have client 
certificates set by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]

2.4.36

   *) mod_ssl: Fix a regression that the configuration settings for 
verify mode and verify depth were taken from the frontend connection in 
case of connections by the proxy to the backend. PR 62769. [Ruediger Pluem]

The first got broken likely in 2.4.30, the second was reported for 
2.4.34 and was only fixed in 36, so it should be broken in 35 as well.

The first has the additional log info (r1844226):

The certificates and keys loaded during configuration time got lost 
during runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on 
virtual host level and there was an SSL directive at directory level, 
e.g. SSLRequire.
This fixes a regression likely introduced in r1740928 (backported in 
r1824187).
Backport of r1844002 from trunk.

Regards,

Rainer