Bug 55673 - httpd fails to start with SSLProxyMachineCertificateFile with openssl 1.0 cert
Summary: httpd fails to start with SSLProxyMachineCertificateFile with openssl 1.0 cert
Status: RESOLVED DUPLICATE of bug 63935
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.6
Hardware: Other Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2013-10-18 21:03 UTC by Fred K
Modified: 2020-08-18 08:50 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Fred K 2013-10-18 21:03:47 UTC

We have configured an apache to proxy to a ssl backend.  The configurations for the related ssl are

LoadModule ssl_module modules/mod_ssl.so

   SSLEngine on

<IfModule ssl_module>
   SSLRandomSeed startup builtin
   SSLRandomSeed connect builtin
   SSLProtocol -all +SSLv3 +TLSv1
   SSLCipherSuite AES256-SHA:DES-CBC3-SHA:AES128-SHA
   SSLCertificateFile ssl/servercert.pem
   SSLProxyEngine on
   SSLProxyMachineCertificateFile ssl/servercert.pem
   SSLProxyMachineCertificateChainFile ssl/cacerts.pem

Apache fails to start when the servercert.pem  is alike:

the key

The error logs are:

[Fri Oct 18 17:32:53.837463 2013] [ssl:debug] [pid 463004:tid 139787389822720] ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost foo.com:80, skipping SSL setup
[Fri Oct 18 17:32:53.837502 2013] [ssl:info] [pid 463004:tid 139787389822720] AH02200: Loading certificate & private key of SSL-aware server myhost.com:8443'
[Fri Oct 18 17:32:53.837733 2013] [ssl:debug] [pid 463004:tid 139787389822720] ssl_engine_pphrase.c(239): AH02202: Init: Read server certificate from '/opt/apache/ssl/servercert.pem'
[Fri Oct 18 17:32:53.837938 2013] [ssl:debug] [pid 463004:tid 139787389822720] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Fri Oct 18 17:32:53.976865 2013] [ssl:info] [pid 463004:tid 139787389822720] AH01887: Init: Initializing (virtual) servers for SSL
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
[Fri Oct 18 17:32:53.977284 2013] [ssl:emerg] [pid 463004:tid 139787389822720] AH02312: Fatal error initialising mod_ssl, exiting.

1/ oddly it appears you can workaround the problem by changing the line from -----BEGIN PRIVATE KEY-----   to -----BEGIN RSA PRIVATE KEY-----

2/ the problem happens only with SSLProxyMachineCertificateFile, the same certificate works fine with SSLCACertificateFile

The problem stems from our CA  generating the certs with openssl 1.0.1e  which changed (comparing to 0.9.8) its default private key format to PKCS#8. 

Since SSLCACertificateFile directive appears to supports either format PKCS#1 and #8 it is strange that SSLProxyMachineCertificateFile does not – is this a bug or am I missing something?

Thank you very much,
Regards - Fred
Comment 1 Rainer Jung 2020-08-18 08:50:39 UTC
The OpenSSL API used to read the file unfortunately does not support PKCS8 private keys. This could be seen as a bug, because OpenSSL supports it in many other places it reads PEM encoded keys. For a way to convert the keys see PR 63935. I will add the limitation to the Apache docs and close the other report once that's done. I guess we won't fix this due to the root cause being in OpenSSL and also due to the fact, that it is pretty simple to convert the key, once the necessity gets documented.

Thanks for reporting this,
Comment 2 Rainer Jung 2020-08-18 08:50:46 UTC

*** This bug has been marked as a duplicate of bug 63935 ***