You are viewing a plain text version of this content. The canonical link for it is here.

Posted to docs@httpd.apache.org by bu...@apache.org on 2021/03/09 16:24:43 UTC

[Bug 63936] Multiple Certs&Keys in a file used with SSLProxyMachineCertificateFile

https://bz.apache.org/bugzilla/show_bug.cgi?id=63936

Dave Bevan <da...@bbc.co.uk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |INFORMATIONPROVIDED

--- Comment #2 from Dave Bevan <da...@bbc.co.uk> ---
Hi @Joe

Any idea when the docs at httpd.apache.org will be updated to reflect the
changes described here?

I faced several hours today fighting a somewhat-related issue, which could have
been resolved had this advice been live, and not found only when I went to file
a bug report.

My situation was slightly different to that described by the reporter -
Heinrick.

My situation was this:

SSLProxyMachineCertificateFile contained a full-chain cert + plain RSA private
key.

I was misled by the error message "AH02252: incomplete client cert configured
for SSL proxy (missing or encrypted private key?)", which is, sort-of true, but
only when armed and intersected with the extended knowledge detailed in this
change!

In the end, it was more luck rather than research that led me to remove the
chain-participant certs, and bingo, things started to work as expected.

Perhaps the language used could be even more explicit than the newly-revised
text? For example:

Your SSLProxyMachineCertificateFile file must contain one, or more of the
following - a matched pair of plain (not encrypted) private key + client cert:

------BEGIN RSA PRIVATE KEY------
your private key for this client cert
------END RSA PRIVATE KEY------
------BEGIN CERTIFICATE------
your client certificate
------END CERTIFICATE----

You can repeat the pairs. Do NOT insert any associated chain/intermediate/root
certificates into this file. See SSLProxyMachineCertificateChainFile to supply
details of chain certificates should they not already be deployed and generally
available to your host.

?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org