Configuring SSL on Apache HTTPd installed on VMWare VM : bad certificate

2

I am building a Reverse Proxy server with Apache HTTPd 2.4.6, under CentOS 7 (freshly installed) running on a VMWare VM.

I also followed recommandations of https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI (found through post https://stackoverflow.com/questions/14830133/apache-httpd-virtual-host-ssl-certificate). And post https://stackoverflow.com/questions/36050140/centos-httpd-ssl-404-error.

  • Apache HTTPd actual configuration (/etc/httpd/conf.d/my.domain.com.conf) :

    LoadModule ssl_module modules/mod_ssl.so

Listen 443

NameVirtualHost *:443
SSLStrictSNIVHostCheck off

<VirtualHost *:443>

ServerName my.domain.com

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RCA+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/my.domain.com.cer
SSLCertificateKeyFile /etc/pki/tls/private/my.domain.com.key
SSLCertificateChainFile /etc/pki/ca-trust/source/anchors/chained.pem

ProxyPreserveHost On

<LocationMatch "/myapp">
    ProxyPass http://X.X.X.X:8080/app
    ProxyPassReverse http://X.X.X.X:8080/app
</LocationMatch>
</VirtualHost>

The Certificat Chain File chained.pem contains my CA.

This CA is the issuer of the certificate my.domain.com.cer and the private key stored in my.domain.com.key are correct.

This CA has been added to /etc/pki/tls/certs/ca-bundle.crt

The syntax is correct (httpd -t).

> Problem : when I hit my.domain.com, the VMWare certificate is sent instead of mine...

  • From a client, when I do a request to my domain with curl :

    curl -v https://my.domain.com -k

(...) 
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
(...)
* Server certificate:
*  subject: C=US; L=Palo Alto; OU=VMware; CN=VMware;     emailAddress=none@vmware.com
*  start date: May 24 09:24:16 2017 GMT
*  expire date: May 24 09:24:16 2018 GMT
*  issuer: C=US; L=Palo Alto; OU=VMware; CN=VMware; emailAddress=none@vmware.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.

  • From a client, when I do a request to my domain with Chrome :

On the HTTPd server, nothing about SSL errors in httpd debug logs ... :

[Wed Mar 14 05:31:00.572506 2018] [ssl:info] [pid 2715] AH02200: Loading certificate & private key of SSL-aware server 'my.domain.com:443'
[Wed Mar 14 05:31:00.573282 2018] [ssl:debug] [pid 2715] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Wed Mar 14 05:31:00.573333 2018] [ssl:info] [pid 2715] AH01914: Configuring server my.domain.com:443 for SSL protocol
[Wed Mar 14 05:31:00.574085 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (2 CA certificates)
[Wed Mar 14 05:31:00.574105 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Wed Mar 14 05:31:00.574116 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Wed Mar 14 05:31:00.574356 2018] [ssl:debug] [pid 2715] ssl_util_ssl.c(489): AH02412: [my.domain.com:443] Cert matches for name 'my.domain.com' [subject: emailAddress=xxxx@yyy.fr,CN=my.domain.com ....... / notbefore: Mar 12 14:58:57 2018 GMT / notafter: Mar  9 14:58:57 2028 GMT]
[Wed Mar 14 05:31:00.574369 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Wed Mar 14 05:31:00.640615 2018] [ssl:info] [pid 2715] AH02200: Loading certificate & private key of SSL-aware server 'my.domain.com:443'
[Wed Mar 14 05:31:00.641115 2018] [ssl:debug] [pid 2715] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Wed Mar 14 05:31:00.641180 2018] [ssl:info] [pid 2715] AH01914: Configuring server my.domain.com:443 for SSL protocol
[Wed Mar 14 05:31:00.641646 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (2 CA certificates)
[Wed Mar 14 05:31:00.641656 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Wed Mar 14 05:31:00.641666 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Wed Mar 14 05:31:00.642392 2018] [ssl:debug] [pid 2715] ssl_util_ssl.c(489): AH02412: [my.domain.com:443] Cert matches for name 'my.domain.com' [[subject: emailAddress=xxxx@yyy.fr,CN=my.domain.com ....... / notbefore: Mar 12 14:58:57 2018 GMT / notafter: Mar  9 14:58:57 2028 GMT]
[Wed Mar 14 05:31:00.642492 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Wed Mar 14 05:31:00.656912 2018] [proxy:debug] [pid 2717] proxy_util.c(1843): AH00925: initializing worker http://X.X.X.X:8080/app shared
[Wed Mar 14 05:31:00.656964 2018] [proxy:debug] [pid 2717] proxy_util.c(1885): AH00927: initializing worker http://X.X.X.X:8080/app local
[Wed Mar 14 05:31:00.656984 2018] [proxy:debug] [pid 2717] proxy_util.c(1936): AH00931: initialized single connection worker in child 2717 for (X.X.X.X)

No /etc/httpd/logs/ssl_error log.

I do not understand why my clients receives the WMWare certificate instead of mine... Any idea ? :(

Notes : there is not iptables service installed & the default file /etc/httpd/conf.d/ssl.conf is not loaded (renamed to ssl.conf.bak)

cactuschibre

Posted 2018-03-14T11:49:24.770

Reputation: 130

Answers

1

OK. Found. After long days of headaches.

  • If you are not using a bridged connection, the domain my.domain.com has to be bound to the VM IP, not the Host IP. Check it in your domain controller.
  • Edit the file config.xml (Windows default path : C:\ProgramData\VMware\hostd\config.xml) to delete the block: <!-- Remove the following node to disable SSL --> <ssl> <!-- The server private key file --> <privateKey>C:\ProgramData\VMware\ssl/rui.key</privateKey> <!-- The server side certificate file --> <certificate>C:\ProgramData\VMware\ssl/rui.crt</certificate>--> <!-- The SSL version to use --> <!-- <sslVersion>all</sslVersion> --> </ssl>

The certificates managed by the VM will be shown first. You can also change the rui.crt and rui.key but they will be applied to all VMs. It is not that I want.

  • VMWare has to be stopped, and the WMWare Workstation Service needs to be restarted (command lines: net stop VMwareHostd then net start VMwareHostd)
  • Re-run the VM. Done!

cactuschibre

Posted 2018-03-14T11:49:24.770

Reputation: 130

Asked: 2018-03-14T11:49:24.770

Viewed: 378 times

Active: 2018-03-14T13:04:57.240