In JBoss Web Server, when a PKCS#8 key generated by OpenSSL is used, JBoss Web Server displays the following error and then terminates:
----
incomplete client cert configured for SSL proxy (missing or encrypted private key?)
----
The PKCS#8 format is not supported by mod_ssl, as mod_ssl uses different functions when loading the proxy key pair.
This is a known issue in JBoss Web Server 3.0. As a workaround, convert from PKCS#8 to the raw PEM encoding of the RSA key and use "openssl pkcs8".
Description of problem:
When using a PKCS#8 key generated by OpenSSL, EWS gives the following error and then terminates:
incomplete client cert configured for SSL proxy (missing or encrypted private key?)
Version-Release number of selected component (if applicable):
EWS 2.0.1 on RHEL 6.
OpenSSL 1.0.0-fips 29 Mar 2010
How reproducible:
readily
Steps to Reproduce:
1. Generate certificates
2. Configure mod_cluster configuration with the certificate
3. Start EWS (apachectl -k start)
Actual results:
Apache attempts to start, but terminates after logging:
[Wed Oct 30 16:16:56 2013] [info] Init: Initialized OpenSSL library
[Wed Oct 30 16:16:56 2013] [info] Init: Seeding PRNG with 0 bytes of entropy
[Wed Oct 30 16:16:56 2013] [notice] SSL FIPS mode disabled
[Wed Oct 30 16:16:56 2013] [info] Loading certificate & private key of SSL-aware server
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Oct 30 16:16:56 2013] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Oct 30 16:16:56 2013] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Oct 30 16:16:56 2013] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Oct 30 16:16:56 2013] [info] Init: Initializing (virtual) servers for SSL
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv3, TLSv1)
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(601): Configuring client authentication
[Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(1199): CA certificate: /CN=jboss
incomplete client cert configured for SSL proxy (missing or encrypted private key?)
Expected results:
Startup and work with PKCS#8 certificates.
Additional info:
OpenSSL changed the default key format to PKCS#8 (from PKCS#1) in version 1.0.0. So supporting PKCS#8 certificates is more important on RHEL 6.
Also, SSLCertificateKeyFile having a PKCS#8 certificate works fine.
Yes, that is not supported by mod_ssl. When loading the proxy key pair mod_ssl uses different functions, which don't handle the PKCS#8 format. It is simple enough to convert from PKCS#8 to the raw PEM encoding of the RSA key, use "openssl pkcs8".
Comment 4Michal Karm Babacek
2015-04-27 06:38:16 UTC
We still have the same kind of issue with:
Fedora 20 OpenSSL/1.0.1e-fips
RHEL 7 OpenSSL/1.0.1e-fips
RHEL 6 OpenSSL/1.0.1e-fips
Windows 2012 R2 OpenSSL/1.0.1e
> [ssl:debug] [pid 5167] ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from '/home/mbabacek/JWS/jws-3.0/httpd/certs/apache_cert.pem'
> [ssl:debug] [pid 5167] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
> [ssl:info] [pid 5167] AH01887: Init: Initializing (virtual) servers for SSL
> [ssl:debug] [pid 5167] ssl_engine_init.c(1524): AH02209: CA certificate: CN=jboss
> AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
> [ssl:emerg] [pid 5167] AH02312: Fatal error initialising mod_ssl, exiting.
Comment 5Jean-frederic Clere
2015-04-27 07:28:12 UTC
So it should stay a known issue and be documented for JWS3.
Comment 6Michal Karm Babacek
2016-05-26 09:41:52 UTC
Is it resolved by updating OpenSSL to 1.0.2h or is it a mod_ssl code limitation?
Comment 7Jean-frederic Clere
2016-07-27 09:16:18 UTC
It is the mod_ssl limitation it won't be fixed in ews-2.1.x