Apache Proxy – SSL Authentication failure on back end of proxy (Client side)

apache-2.2proxy-authenticationreverse-proxy

I'm running Apache 2.2.11 configured as a reverse proxy. The "front side" of the proxy works fine, as does the back end until we enable SSL Certificate based authentication on the back (Client) side of the proxy.

My HTTPD conf file contains:

SSLProxyMachineCertificateFile /opt/apache/sfdc/myauth/myauth

Per the documentation, I have combined the key and certificate in to the "myauth" file. I am using the same certificate and key used to secure the HTTPS connection on the front side of the proxy. This was concatenated cat ../server.key ../server.pem >> myauth

The private key is not password protected.

My Apache log indicates:

[debug] ssl_engine_kernel.c(1526): Proxy client certificate callback: (obsucredhostname.com:8010) entered
[debug] ssl_engine_kernel.c(1571): Proxy client certificate callback: (obsucredhostname.com:8010) no client certificate found!?

Is it possible to use the same certificate key pair as is used to secure the front end SSL? My front-end is secured by godaddys signing service. Or, am I required to use a separate and unique pair?

Best Answer

When you connect to a server (the back end) that requires client certificate authentication, the server will supply the client (your Apache proxy) with a list of acceptable CA names that the client cert can be signed with. i.e. A list of CAs that the the server trusts to sign client certs.

I suspect the problem here is that your SSLProxyMachineCertificateFile is not signed by a CA acceptable to the server. You can check the CA names acceptable to the server using openssl.

openssl s_client -cert certfile -CAfile certfile -connect host:port

There's a bit more information about the problem on the Apache bugzilla here, including a patch that may help if you don't have access to the backend server configuration.

Related Solutions

Ssl – How to publish a secure SVN server (Apache+SSL) behind an ISA firewall

It can be done with the regular "Publish Web sites" wizard. If the external website is https://mysvn.com then ISA will need to have a certificate installed for https://mysvn.com; this is configured the listener. (For ease of use I have a wildcard certificate for https://*.mycompany.com and a lisetener called "generic https listener" so I don't need a seperate listener for each site)

If external clients use https to contact ISA then it is best if the ISA uses https (and the same domain name) to contact the webs server - this eliminates problems where a web server returns an internal link (http://internalname.local) that makes it back to the client instead of being re-written by ISA. The SSL certificate on the web server should be trusted by the ISA server, either because it's from a trust root server (i.e.: a proper paid for certificate) or you've set up your own certificate issuing system.

Authentication delegation should be set to "no delegation, but client can authenticate directly" otherwise ISA will try to take over user authentication.

Ssl – Client-side certificates (Apache, Linux, OpenSSL)

Could be that you are using client certs with the wrong key usage. Please verify that your key usage has:

Critical
Signing
Non-repudiation
Key Encipherment

If you are using extended key usage, check for

Not Critical
TLS Web Client Authentication
E-mail protection

On the server side verify that you have all the ca cert that was used to sign the client cert and the relevant pki hierarchy is set up. In a typical apache setup, this would look like:

<VirtualHost *:443>
    ServerAdmin admin@example.net                                                                                      
    DocumentRoot /var/www/
    ServerName service.example.net
    ScriptAlias /cgi-bin/ /var/www/cgi-bin/
    <Directory "/var/www/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>

    <Directory "/var/www/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
    </Directory>

    SSLEngine on
    SSLOptions +StdEnvVars
    SSLCertificateFile    /usr/local/ssl/certs/Server.crt
    SSLCertificateKeyFile /usr/local/ssl/private/Server.key
    SSLCACertificateFile  /usr/local/ssl/certs/caRoot.cacert.pem
    SSLVerifyClient require
    ErrorLog logs/service.example.net-443-error_log
    LogLevel info
    CustomLog logs/service.example.net-443-access.log combined

Finally, you can try debug with good old openssl

openssl s_client -connect server.example.net:443 -CAfile ../ca/caRoot.crt -cert client-Access.crt -key client-Access.key  -showcerts

or curl

curl -kv --key client-Access.key --cert client-Access.crt --cacert ../ca/caRoot.crt  https://server.example.net/

Good luck!

Best Answer

Related Solutions

Ssl – How to publish a secure SVN server (Apache+SSL) behind an ISA firewall

Ssl – Client-side certificates (Apache, Linux, OpenSSL)

Related Topic