I am attempting to create the following setup using Apache:
UserBrowser ----Client Certificate---> LoadBalancer (Apache 2.4)
then
LoadBalancer (Apache 2.4) ----LB Client Certificate ----> Apache 2.2 Web Server
So the user connects to the load balancer and provides a client certificate – This works correctly.
A Reverse Proxy then makes the Load Balancer connect to the web server, the webserver requests a certificate from the Load Balancer and I get the following error:
Proxy client certificate callback: (0.0.0.0:443) entered
Proxy client certificate callback: (0.0.0.0:443) downstream server wanted client certificate but none are configured
[remote 0.0.0.1:443] SSL Proxy connect failed
[ssl:info] SSL Library Error: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure (SSL alert number 40)
[ssl:info] [remote 0.0.0.1:443] Connection closed to child 0 with abortive shutdown (server 0.0.0.0:443)
[ssl:info] [remote 0.0.0.1:443] SSL handshake failed: sending 502
Load Balancer Config:
SSLProxyEngine on
ProxyRequests off
ProxyPreserveHost on
Proxytimeout 600
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyMachineCertificateFile "/path/to/keyandcert.pem"
Web Server Config:
SSLVerifyClient require
This scenario works if I remove SSLVerifyClient from the Web Server, traffic is then loadbalanced. I need to have client verification between the User – LB and between the LB – WS.
Keys + Certs have been generated using 1024 bit long modulus
Can anyone offer an insight into what might be going wrong here?
Best Answer
Your request is unclear. There can be, however, the following cases that I can imagine:
Either way, the scheme you are describing doesn't match completey any of the above.
P.S. use nginx as a balancer, apache is long gone.