1

I'm running Apache 2.2.11 configured as a reverse proxy. The "front side" of the proxy works fine, as does the back end until we enable SSL Certificate based authentication on the back (Client) side of the proxy.

My HTTPD conf file contains:

SSLProxyMachineCertificateFile /opt/apache/sfdc/myauth/myauth

Per the documentation, I have combined the key and certificate in to the "myauth" file. I am using the same certificate and key used to secure the HTTPS connection on the front side of the proxy. This was concatenated cat ../server.key ../server.pem >> myauth

The private key is not password protected.

My Apache log indicates:

[debug] ssl_engine_kernel.c(1526): Proxy client certificate callback: (obsucredhostname.com:8010) entered
[debug] ssl_engine_kernel.c(1571): Proxy client certificate callback: (obsucredhostname.com:8010) no client certificate found!?

Is it possible to use the same certificate key pair as is used to secure the front end SSL? My front-end is secured by godaddys signing service. Or, am I required to use a separate and unique pair?

user176514
  • 71
  • 2
  • 8

1 Answers1

1

When you connect to a server (the back end) that requires client certificate authentication, the server will supply the client (your Apache proxy) with a list of acceptable CA names that the client cert can be signed with. i.e. A list of CAs that the the server trusts to sign client certs.

I suspect the problem here is that your SSLProxyMachineCertificateFile is not signed by a CA acceptable to the server. You can check the CA names acceptable to the server using openssl.

openssl s_client -cert certfile -CAfile certfile -connect host:port

There's a bit more information about the problem on the Apache bugzilla here, including a patch that may help if you don't have access to the backend server configuration.

Vortura
  • 360
  • 2
  • 9
  • Building file (certfile) with my public and private key, the intermediate CA and Root CA's for my certificate, as well as the Certificate and Intermediate and root CA's for the server I am connecting to, the openssl command you provide return "Verify return code: 0 (ok)" --- However, the HTTPD daemons will not stay running. Error in log: incomplete client cert configured for SSL proxy (missing or encrypted private key?) – user176514 Jun 19 '13 at 18:30
  • Does the openssl command prompt you for a password? If so, you are using an encrypted private key. This is not supported by SSLProxyMachineCertificateFile. A quick Google search will tell you how to remove the passphrase if you wish to do so. – Vortura Jun 20 '13 at 09:05