You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/10/18 23:03:47 UTC
[Bug 55673] New: httpd fails to start with
SSLProxyMachineCertificateFile with openssl 1.0 cert
https://issues.apache.org/bugzilla/show_bug.cgi?id=55673
Bug ID: 55673
Summary: httpd fails to start with
SSLProxyMachineCertificateFile with openssl 1.0 cert
Product: Apache httpd-2
Version: 2.4.6
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: fredk2@gmail.com
Hi,
We have configured an apache to proxy to a ssl backend. The configurations for
the related ssl are
LoadModule ssl_module modules/mod_ssl.so
<VirtualHost 1.2.3.4:443>
SSLEngine on
</VirtualHost>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite AES256-SHA:DES-CBC3-SHA:AES128-SHA
SSLCertificateFile ssl/servercert.pem
SSLProxyEngine on
SSLProxyMachineCertificateFile ssl/servercert.pem
SSLProxyMachineCertificateChainFile ssl/cacerts.pem
</IfModule>
Apache fails to start when the servercert.pem is alike:
-----BEGIN PRIVATE KEY-----
the key
-----END PRIVATE KEY-----
The error logs are:
[Fri Oct 18 17:32:53.837463 2013] [ssl:debug] [pid 463004:tid 139787389822720]
ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost foo.com:80,
skipping SSL setup
[Fri Oct 18 17:32:53.837502 2013] [ssl:info] [pid 463004:tid 139787389822720]
AH02200: Loading certificate & private key of SSL-aware server myhost.com:8443'
[Fri Oct 18 17:32:53.837733 2013] [ssl:debug] [pid 463004:tid 139787389822720]
ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from
'/opt/apache/ssl/servercert.pem'
[Fri Oct 18 17:32:53.837938 2013] [ssl:debug] [pid 463004:tid 139787389822720]
ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase
not required
[Fri Oct 18 17:32:53.976865 2013] [ssl:info] [pid 463004:tid 139787389822720]
AH01887: Init: Initializing (virtual) servers for SSL
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted
private key?)
[Fri Oct 18 17:32:53.977284 2013] [ssl:emerg] [pid 463004:tid 139787389822720]
AH02312: Fatal error initialising mod_ssl, exiting.
1/ oddly it appears you can workaround the problem by changing the line from
-----BEGIN PRIVATE KEY----- to -----BEGIN RSA PRIVATE KEY-----
2/ the problem happens only with SSLProxyMachineCertificateFile, the same
certificate works fine with SSLCACertificateFile
The problem stems from our CA generating the certs with openssl 1.0.1e which
changed (comparing to 0.9.8) its default private key format to PKCS#8.
Since SSLCACertificateFile directive appears to supports either format PKCS#1
and #8 it is strange that SSLProxyMachineCertificateFile does not – is this a
bug or am I missing something?
Thank you very much,
Regards - Fred
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55673] httpd fails to start with SSLProxyMachineCertificateFile
with openssl 1.0 cert
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55673
Jesus Alejandre <al...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |alejandrejesus1123@gmail.co
| |m
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org