Ssl – AH00898: Error during SSL Handshake with remote server (localhost)

apache-2.4PROXYsslvirtualhost

I am trying to boot up an instance of GhostCMS on my Debian 10 (buster) server. I planned on doing so using an apache (v2.4.38) reverse proxy. For the Ghost setup I used ghost-cli as described in the docs. (ghost install && ghost start) and it worked more or less fine (besides the Nginx config part and therefore the LetsEncrypt part – which I started manually later)

My apache config for HTTP looks like the following:

<VirtualHost *:80>
DocumentRoot /var/www/ghost
ServerName blog.domain.xyz
ServerAlias www.blog.domain.xyz


ProxyPreserveHost On
ProxyRequests Off

ProxyPass / https://127.0.0.1:2368/
ProxyPassReverse / https://127.0.0.1:2368/

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

and my apache config for HTTPS looks like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/ghost
ServerName blog.domain.xyz
ServerAlias www.blog.domain.xyz

ProxyPreserveHost On
ProxyRequests Off

SSLEngine On
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

ProxyPass / https://127.0.0.1:2368/
ProxyPassReverse / https://127.0.0.1:2368/

ErrorLog ${APACHE_LOG_DIR}/blog.domain.xyz_error.log
CustomLog ${APACHE_LOG_DIR}/blog.domain.xyz_access.log combined


RewriteCond %{SERVER_NAME} =blog.domain.xyz [OR]
RewriteCond %{SERVER_NAME} =www.blog.domain.xyz

SSLCertificateFile /etc/letsencrypt/live/blog.domain.xyz/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/blog.domain.xyz/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

FYI: All the pages are enabled using a2ensite configname and ghost is still running on its default port (localhost:2368)

Whenever I try to load the page I get a HTTP 500 Proxy Error with the Reason: Error during SSL Handshake with remote server

I already tried some tutorials, e.g. https://www.codersbistro.com/blog/setting-up-ghost-with-apache-http-server/ but they still couldn't help me.

Hopefully some of you can provide me with a decent hint 🙂

Best Answer

I already tried some tutorials, e.g. https://www.codersbistro.com/blog/setting-up-ghost-with-apache-http-server/ but they still couldn't help me.

The tutorial includes the following part:

ProxyPass / http://localhost:2368/
ProxyPassReverse / http://localhost:2368/

Contrary to this your config includes the following

ProxyPass / https://127.0.0.1:2368/
ProxyPassReverse / https://127.0.0.1:2368/

Note the difference? You are trying to access the internal server on port 2368 with https while in the tutorial it is with http. The latter is probably the correct one. Note that the https handling is done by Apache and not by the internal CMS server, which contrary to Apache should not be reachable from outside the host.

Related Topic