b***@apache.org
2018-11-16 07:21:18 UTC
https://bz.apache.org/bugzilla/show_bug.cgi?id=62915
Bug ID: 62915
Summary: SSLProxyCheckPeerName does not seem to work with Lets
Encrypt full chain cert
Product: Apache httpd-2
Version: 2.4.29
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
Assignee: ***@httpd.apache.org
Reporter: ***@hotmail.com
Target Milestone: ---
I'm trying to use apache2 to reverse proxy my router config page. The router
serves a certificate generated by Let's Encrypt using the DNS-01 challenge with
wildcard support, and I'm using the subdomain router.domain.com.
The certificate file contains both my domain cert and the intermediate Let's
Encrypt cert that's signed by DST Root CA X3. Per the documentation for
SSLProxyCheckPeerName, the Subject Alt Name contains
Not Critical
DNS Name: *.domain.com
DNS Name: domain.com
And the CN is domain.com
However, if I set up the proxy with
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
ProxyPass "/" "https://192.168.1.1:443/"
ProxyPassReverse "/" "http://192.168.1.1:443/"
I get an - Error during SSL Handshake with remote server
Just adding "SSLProxyCheckPeerName off", however solves the problem. I'm not
sure if this also disables CA checking or its a problem with the chaining, but
I serve the same cert to my reverse proxy and web clients, and there are no
problems.
I'm happy to provide the cert privately.
Bug ID: 62915
Summary: SSLProxyCheckPeerName does not seem to work with Lets
Encrypt full chain cert
Product: Apache httpd-2
Version: 2.4.29
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
Assignee: ***@httpd.apache.org
Reporter: ***@hotmail.com
Target Milestone: ---
I'm trying to use apache2 to reverse proxy my router config page. The router
serves a certificate generated by Let's Encrypt using the DNS-01 challenge with
wildcard support, and I'm using the subdomain router.domain.com.
The certificate file contains both my domain cert and the intermediate Let's
Encrypt cert that's signed by DST Root CA X3. Per the documentation for
SSLProxyCheckPeerName, the Subject Alt Name contains
Not Critical
DNS Name: *.domain.com
DNS Name: domain.com
And the CN is domain.com
However, if I set up the proxy with
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
ProxyPass "/" "https://192.168.1.1:443/"
ProxyPassReverse "/" "http://192.168.1.1:443/"
I get an - Error during SSL Handshake with remote server
Just adding "SSLProxyCheckPeerName off", however solves the problem. I'm not
sure if this also disables CA checking or its a problem with the chaining, but
I serve the same cert to my reverse proxy and web clients, and there are no
problems.
I'm happy to provide the cert privately.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org