Ubuntu
apache2 package

  1. Bug #1930430
  2. Comment #9

Comment 9 for bug 1930430

Revision history for this message
Horst Platz (hp-localhorst) wrote :

hi sergio,

my be i have a solution with selfsign.

over all i recreate the apache packages with the new verion 2.4.41-4ubuntu3.3 and use only the patch with the tow rows involved.

then i found a descripion to create a rootCA with ocsp inside

https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html

i copy and paste it straight forward and got the files

enduser-example.com.key
enduser-example.com.crt
enduser-example.com.chain

and in the cert is a ocsp uri

:~# openssl x509 -in enduser-example.com.crt -noout -ocsp_uri
http://pki.sparklingca.com/ocsp/
http://pki.backup.com/ocsp/

at that point these ocsp responders dose not exists.

i reconfigure the apache from above with that selfsign cert

:~# vim /etc/apache2-own/sites-available/own.conf
<VirtualHost 127.0.0.2:443>
  ServerName own.localhorst.org

  SSLEngine On
  SSLCertificateFile /etc/apache2-own/ssl/enduser-example.com.crt
  SSLCertificateChainFile /etc/apache2-own/ssl/enduser-example.com.chain
  SSLCertificateKeyFile /etc/apache2-own/ssl/enduser-example.com.key

  DocumentRoot /var/www/html-own

  <Directory /var/www/html-own>
    DirectoryIndex index.html
    Options -Indexes
    AllowOverride None
    Require all granted
  </Directory>

  #LogLevel info ssl:warn

  ErrorLog ${APACHE_LOG_DIR}/own_error.log
  CustomLog ${APACHE_LOG_DIR}/own_access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/apache2-proxy/sites-enabled/000-default.conf
<VirtualHost 127.0.0.1:80>
    ServerName proxy.localhorst.org

    ProxyPreserveHost Off
    ProxyRequests Off

    SSLProxyEngine On
    SSLProxyVerify require
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On
    SSLProxyVerifyDepth 2
    SSLProxyCACertificateFile /etc/apache2-own/ssl/enduser-example.com.chain
    SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384
    SSLProxyProtocol -all +TLSv1.2

    ProxyPass / https://own.localhorst.org/

    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common
</VirtualHost>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# curl http://proxy.localhorst.org
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request<p>Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at proxy.localhorst.org Port 80</address>
</body></html>

:~# cat /var/log/apache2-proxy/error.log
[Fri Jul 02 15:59:51.503320 2021] [ssl:debug] [pid 61838:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE
[Fri Jul 02 15:59:51.504788 2021] [ssl:debug] [pid 61838:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: OU=zzz,O=loca,C=DE,ST=NRW,CN=Localhorst intermediat CA
[Fri Jul 02 15:59:51.520258 2021] [ssl:debug] [pid 61839:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE
[Fri Jul 02 15:59:51.520282 2021] [ssl:debug] [pid 61839:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: OU=zzz,O=loca,C=DE,ST=NRW,CN=Localhorst intermediat CA
[Fri Jul 02 15:59:51.521114 2021] [mpm_event:notice] [pid 61839:tid 140404689173568] AH00489: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Fri Jul 02 15:59:51.521138 2021] [core:notice] [pid 61839:tid 140404689173568] AH00094: Command line: '/usr/sbin/apache2 -d /etc/apache2-proxy'
[Fri Jul 02 15:59:51.527963 2021] [proxy:debug] [pid 61840:tid 140404689173568] proxy_util.c(1933): AH00925: initializing worker https://own.localhorst.org/ shared
[Fri Jul 02 15:59:51.527991 2021] [proxy:debug] [pid 61840:tid 140404689173568] proxy_util.c(1990): AH00927: initializing worker https://own.localhorst.org/ local
[Fri Jul 02 15:59:51.528002 2021] [proxy:debug] [pid 61840:tid 140404689173568] proxy_util.c(2024): AH00930: initialized pool in child 61840 for (own.localhorst.org) min=0 max=25 smax=25
[Fri Jul 02 15:59:51.528973 2021] [proxy:debug] [pid 61841:tid 140404689173568] proxy_util.c(1933): AH00925: initializing worker https://own.localhorst.org/ shared
[Fri Jul 02 15:59:51.529009 2021] [proxy:debug] [pid 61841:tid 140404689173568] proxy_util.c(1990): AH00927: initializing worker https://own.localhorst.org/ local
[Fri Jul 02 15:59:51.529067 2021] [proxy:debug] [pid 61841:tid 140404689173568] proxy_util.c(2024): AH00930: initialized pool in child 61841 for (own.localhorst.org) min=0 max=25 smax=25
[Fri Jul 02 15:59:58.640750 2021] [authz_core:debug] [pid 61840:tid 140404561278720] mod_authz_core.c(845): [client 127.0.0.1:48808] AH01628: authorization result: granted (no directives)
[Fri Jul 02 15:59:58.640838 2021] [proxy:debug] [pid 61840:tid 140404561278720] mod_proxy.c(1253): [client 127.0.0.1:48808] AH01143: Running scheme https handler (attempt 0)
[Fri Jul 02 15:59:58.640859 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (own.localhorst.org)
[Fri Jul 02 15:59:58.640865 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(2379): [client 127.0.0.1:48808] AH00944: connecting https://own.localhorst.org/ to own.localhorst.org:443
[Fri Jul 02 15:59:58.640995 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(2588): [client 127.0.0.1:48808] AH00947: connected / to own.localhorst.org:443
[Fri Jul 02 15:59:58.641077 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(3054): AH02824: HTTPS: connection established with 127.0.0.2:443 (own.localhorst.org)
[Fri Jul 02 15:59:58.641096 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(3240): AH00962: HTTPS: connection complete to 127.0.0.2:443 (own.localhorst.org)
[Fri Jul 02 15:59:58.641103 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH01964: Connection to child 0 established (server proxy.localhorst.org:80)
[Fri Jul 02 15:59:58.654018 2021] [ssl:debug] [pid 61840:tid 140404561278720] ssl_engine_kernel.c(1764): [remote 127.0.0.2:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE / issuer: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE / serial: 1C45449239692242E4EB5F7124ECD2B1F404979B / notbefore: Jul 2 14:53:28 2021 GMT / notafter: Jul 2 14:53:28 2026 GMT]
[Fri Jul 02 15:59:58.654233 2021] [ssl:debug] [pid 61840:tid 140404561278720] ssl_engine_kernel.c(1764): [remote 127.0.0.2:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: OU=zzz,O=loca,C=DE,ST=NRW,CN=Localhorst intermediat CA / issuer: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE / serial: 1000 / notbefore: Jul 2 14:56:01 2021 GMT / notafter: Jul 2 14:56:01 2023 GMT]
[Fri Jul 02 15:59:59.101482 2021] [ssl:error] [pid 61840:tid 140404561278720] (EAI 2)Name or service not known: [remote 127.0.0.2:443] AH01972: could not resolve address of OCSP responder pki.sparklingca.com
[Fri Jul 02 15:59:59.101790 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH02276: Certificate Verification: Error (50): application verification failure [subject: OU=zzz,O=loca,C=DE,ST=NRW,CN=Localhorst intermediat CA / issuer: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE / serial: 1000 / notbefore: Jul 2 14:56:01 2021 GMT / notafter: Jul 2 14:56:01 2023 GMT]
[Fri Jul 02 15:59:59.102021 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH02003: SSL Proxy connect failed
[Fri Jul 02 15:59:59.102080 2021] [ssl:info] [pid 61840:tid 140404561278720] SSL Library Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[Fri Jul 02 15:59:59.102099 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH01998: Connection closed to child 0 with abortive shutdown (server proxy.localhorst.org:80)
[Fri Jul 02 15:59:59.102185 2021] [ssl:info] [pid 61840:tid 140404561278720] [remote 127.0.0.2:443] AH01997: SSL handshake failed: sending 502
[Fri Jul 02 15:59:59.102202 2021] [proxy:error] [pid 61840:tid 140404561278720] (20014)Internal error (specific information not available): [client 127.0.0.1:48808] AH01084: pass request body failed to 127.0.0.2:443 (own.localhorst.org)
[Fri Jul 02 15:59:59.102226 2021] [proxy:error] [pid 61840:tid 140404561278720] [client 127.0.0.1:48808] AH00898: Error during SSL Handshake with remote server returned by /
[Fri Jul 02 15:59:59.102239 2021] [proxy_http:error] [pid 61840:tid 140404561278720] [client 127.0.0.1:48808] AH01097: pass request body failed to 127.0.0.2:443 (own.localhorst.org) from 127.0.0.1 ()
[Fri Jul 02 15:59:59.102252 2021] [proxy:debug] [pid 61840:tid 140404561278720] proxy_util.c(2340): AH00943: HTTPS: has released connection for (own.localhorst.org)

- - - - - - - - - - - - - - - - - - - - - - - - -

install the patched apache

:~# dpkg -i apache2_2.4.41-4ubuntu3.3_amd64.deb apache2-bin_2.4.41-4ubuntu3.3_amd64.deb apache2-data_2.4.41-4ubuntu3.3_all.deb apache2-utils_2.4.41-4ubuntu3.3_amd64.deb

:~# systemctl restart <email address hidden>
:~# systemctl restart <email address hidden>

:~# curl http://proxy.localhorst.org
own

worked for me without an error

hopfully this will help to get some more clear.

reagrads horst