You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/11/16 07:21:18 UTC

[Bug 62915] New: SSLProxyCheckPeerName does not seem to work with Lets Encrypt full chain cert

https://bz.apache.org/bugzilla/show_bug.cgi?id=62915

            Bug ID: 62915
           Summary: SSLProxyCheckPeerName does not seem to work with Lets
                    Encrypt full chain cert
           Product: Apache httpd-2
           Version: 2.4.29
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy
          Assignee: bugs@httpd.apache.org
          Reporter: kaysond@hotmail.com
  Target Milestone: ---

I'm trying to use apache2 to reverse proxy my router config page. The router
serves a certificate generated by Let's Encrypt using the DNS-01 challenge with
wildcard support, and I'm using the subdomain router.domain.com.

The certificate file contains both my domain cert and the intermediate Let's
Encrypt cert that's signed by DST Root CA X3. Per the documentation for
SSLProxyCheckPeerName, the Subject Alt Name contains

Not Critical
DNS Name: *.domain.com
DNS Name: domain.com

And the CN is domain.com

However, if I set up the proxy with

RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
ProxyPass "/" "https://192.168.1.1:443/"
ProxyPassReverse "/" "http://192.168.1.1:443/"

I get an - Error during SSL Handshake with remote server

Just adding "SSLProxyCheckPeerName off", however solves the problem. I'm not
sure if this also disables CA checking or its a problem with the chaining, but
I serve the same cert to my reverse proxy and web clients, and there are no
problems.

I'm happy to provide the cert privately.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62915] SSLProxyCheckPeerName does not seem to work with Lets Encrypt full chain cert

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62915

--- Comment #3 from Aram Akhavan <ka...@hotmail.com> ---
I'm an idiot. Sorry. I don't know why I thought the cert is to match the host
that the client is connecting to...

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62915] SSLProxyCheckPeerName does not seem to work with Lets Encrypt full chain cert

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62915

Kirtan <ki...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kirtankshetty@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62915] SSLProxyCheckPeerName does not seem to work with Lets Encrypt full chain cert

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62915

--- Comment #1 from Aram Akhavan <ka...@hotmail.com> ---
This is running on Ubuntu 18.04, hence the slightly older release

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62915] SSLProxyCheckPeerName does not seem to work with Lets Encrypt full chain cert

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62915

Aram Akhavan <ka...@hotmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kaysond@hotmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62915] SSLProxyCheckPeerName does not seem to work with Lets Encrypt full chain cert

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62915

Ruediger Pluem <rp...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #2 from Ruediger Pluem <rp...@apache.org> ---
This is because ProxyPass uses an IP address and not domain.com. It needs to be 

ProxyPass "/" "https://domain.com:443/"

This is a configuration error and not a bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org