Summary: | Multiple Certs&Keys in a file used with SSLProxyMachineCertificateFile | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Hendrik T. Voelker <hendrik.volker> |
Component: | Documentation | Assignee: | HTTP Server Documentation List <docs> |
Status: | RESOLVED INFORMATIONPROVIDED | ||
Severity: | enhancement | CC: | dave.bevan |
Priority: | P2 | ||
Version: | 2.4-HEAD | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All |
Description
Hendrik T. Voelker
2019-11-19 09:49:46 UTC
Documentation updated in r1884097 which covers this. Let me know if something is still not clear. http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslproxymachinecertificatefile Hi @Joe Any idea when the docs at httpd.apache.org will be updated to reflect the changes described here? I faced several hours today fighting a somewhat-related issue, which could have been resolved had this advice been live, and not found only when I went to file a bug report. My situation was slightly different to that described by the reporter - Heinrick. My situation was this: SSLProxyMachineCertificateFile contained a full-chain cert + plain RSA private key. I was misled by the error message "AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)", which is, sort-of true, but only when armed and intersected with the extended knowledge detailed in this change! In the end, it was more luck rather than research that led me to remove the chain-participant certs, and bingo, things started to work as expected. Perhaps the language used could be even more explicit than the newly-revised text? For example: Your SSLProxyMachineCertificateFile file must contain one, or more of the following - a matched pair of plain (not encrypted) private key + client cert: ------BEGIN RSA PRIVATE KEY------ your private key for this client cert ------END RSA PRIVATE KEY------ ------BEGIN CERTIFICATE------ your client certificate ------END CERTIFICATE---- You can repeat the pairs. Do NOT insert any associated chain/intermediate/root certificates into this file. See SSLProxyMachineCertificateChainFile to supply details of chain certificates should they not already be deployed and generally available to your host. ? Rather than further tweak the language I changed mod_ssl in r1884552 so that it "just worked" in exactly that kind of configuration (chained certs + key) and avoided spitting the AH02252 error. The current docs at: http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslproxymachinecertificatefile do describe this hopefully adequately? I can propose this change for 2.4.x. Hi Joe, Thanks - I found the /trunk/ docs a few mins ago, and saw your comment re leaf cert support arriving in 2.5.1 - great! However, I wonder if, while the restriction still exists in the 2.4 series, if it's worth adding a clarification to the /current/ docs regarding the explicit behaviour expected of users loading client creds into that file? Done.(In reply to Dave Bevan from comment #4) > Hi Joe, > > Thanks - I found the /trunk/ docs a few mins ago, and saw your comment re > leaf cert support arriving in 2.5.1 - great! > > However, I wonder if, while the restriction still exists in the 2.4 series, > if it's worth adding a clarification to the /current/ docs regarding the > explicit behaviour expected of users loading client creds into that file? I merged the change and added a note about the config error now specific to 2.4: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile HTH |