Description of problem: When using a PKCS#8 key generated by OpenSSL, EWS gives the following error and then terminates: incomplete client cert configured for SSL proxy (missing or encrypted private key?) Version-Release number of selected component (if applicable): EWS 2.0.1 on RHEL 6. OpenSSL 1.0.0-fips 29 Mar 2010 How reproducible: readily Steps to Reproduce: 1. Generate certificates 2. Configure mod_cluster configuration with the certificate 3. Start EWS (apachectl -k start) Actual results: Apache attempts to start, but terminates after logging: [Wed Oct 30 16:16:56 2013] [info] Init: Initialized OpenSSL library [Wed Oct 30 16:16:56 2013] [info] Init: Seeding PRNG with 0 bytes of entropy [Wed Oct 30 16:16:56 2013] [notice] SSL FIPS mode disabled [Wed Oct 30 16:16:56 2013] [info] Loading certificate & private key of SSL-aware server [Wed Oct 30 16:16:56 2013] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required [Wed Oct 30 16:16:56 2013] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Wed Oct 30 16:16:56 2013] [info] Init: Generating temporary DH parameters (512/1024 bits) [Wed Oct 30 16:16:56 2013] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Wed Oct 30 16:16:56 2013] [info] Init: Initializing (virtual) servers for SSL [Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv3, TLSv1) [Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(601): Configuring client authentication [Wed Oct 30 16:16:56 2013] [debug] ssl_engine_init.c(1199): CA certificate: /CN=jboss incomplete client cert configured for SSL proxy (missing or encrypted private key?) Expected results: Startup and work with PKCS#8 certificates. Additional info: OpenSSL changed the default key format to PKCS#8 (from PKCS#1) in version 1.0.0. So supporting PKCS#8 certificates is more important on RHEL 6. Also, SSLCertificateKeyFile having a PKCS#8 certificate works fine.
Created attachment 817648 [details] mod_cluster.conf, script to gen certs, certs
Yes, that is not supported by mod_ssl. When loading the proxy key pair mod_ssl uses different functions, which don't handle the PKCS#8 format. It is simple enough to convert from PKCS#8 to the raw PEM encoding of the RSA key, use "openssl pkcs8".
We still have the same kind of issue with: Fedora 20 OpenSSL/1.0.1e-fips RHEL 7 OpenSSL/1.0.1e-fips RHEL 6 OpenSSL/1.0.1e-fips Windows 2012 R2 OpenSSL/1.0.1e > [ssl:debug] [pid 5167] ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from '/home/mbabacek/JWS/jws-3.0/httpd/certs/apache_cert.pem' > [ssl:debug] [pid 5167] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required > [ssl:info] [pid 5167] AH01887: Init: Initializing (virtual) servers for SSL > [ssl:debug] [pid 5167] ssl_engine_init.c(1524): AH02209: CA certificate: CN=jboss > AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?) > [ssl:emerg] [pid 5167] AH02312: Fatal error initialising mod_ssl, exiting.
So it should stay a known issue and be documented for JWS3.
Is it resolved by updating OpenSSL to 1.0.2h or is it a mod_ssl code limitation?
It is the mod_ssl limitation it won't be fixed in ews-2.1.x