Red Hat Bugzilla – Bug 1029787
proxy setup not working with mod_ssl
Last modified: 2015-03-09 08:11:39 EDT
Created attachment 823291 [details]
config and log files
Description of problem:
I add a proxy setup for mod_ssl and it does not seems to working.
Version-Release number of selected component (if applicable):
[root@rhel70-modnss ~]# rpm -q mod_ssl httpd
Steps to Reproduce:
1.install mod_ssl compoent and configure a proxy for this.
proxy setup does not works
[root@rhel70-modnss ~]# curl https://localhost:443/ -k
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<title>500 Proxy Error</title>
The proxy server could not handle the request <em><a href="/">GET /</a></em>.<p>
Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
proxy setup should work.
(1)Please find the attached ssl and ssl_proxy config files. Also ssl_proxy_log has been attached.
(2)ssl configurations is working.
[root@rhel70-modnss ~]# curl https://localhost:10443/ -k
<font size="+5">Using '<font color="blue">mod_ssl</font>' . . .</font>
(3)Same setup is working fine on RHEL-6.5
This is probably the relevant error:
[Wed Nov 13 13:50:10.048409 2013] [ssl:info] [pid 27219] [remote ::1:10443] AH02411: SSL Proxy: Peer certificate does not match for hostname localhost
Either set "SSLProxyVerify off" or use SSLProxyMachineCertificateFile to trust the CA which signs the backend server's certificate.
Please let us know if that doesn't work.
I did tried above parameters which did not worked.
But when i changed the "localhost" string with "hostname of machine" in ssl_proxy.conf, it works now.
ssl_proxy.conf with "localhost" worked on RHEL-6.5 but not working on RHEL-7.0.
I think this behaviour change for ssl_proxy.conf should be documented.
Sorry... it is "SSLProxyCheckPeerName on" which should fix this, my mistake.
Yes it should go into the migration guide.
reopening the bug and targeting Documenation
This bug was not in the correct component and did not come to my attention until after work for RHEL 7.0 was already complete.
I've moved it to the correct component and added a flag to propose this change for the RHEL 7.1 documentation. Hopefully this is not too great an inconvenience.