You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Paul van Weller <pa...@gmail.com> on 2020/05/26 12:29:21 UTC

[users@httpd] ReverseProxy mTLS in backend

Hi,

I have configured apache (2.4.6 on RHEL7) as reverse proxy, forwarding
requests to a tomcat 8.5 (HTTP connector) which requests a client
certificate.

All works as long as I have the CA certificate of the client certificate
used by the apache rp in the configured truststore at the tomcat end.

The thing is that I would like to put only the specific client certificate
in the truststore rather than the CA of the certificate.

When I remove the CA (of the client certificate apache is using to
authenticate towards tomcat) from the tomcat truststore and instead add the
public certificate apache is supposed to use to authenticate, apache is not
willing to pick the right client certificate and backend communication
fails.

   AH02269: Proxy client certificate callback: (xxx.xxx.com:443) no client
certificate found!?

I was hoping I could use SSLProxyMachineCertificateChainFile to tell apache
that it is ok to use the certificate configured as
per SSLProxyMachineCertificateFile but this does not work either.

Any hints are highly appreciated.

Best regards
Paul