I need to connect to an external server via SSL which only accepts certificates exchange following this architecture :
Client (my Nodejs server) —–http—–> (Reverse?) Proxy —-https—–> External Server asking for certificate.
I don’t own the external server, but they have my certificates installed in their system.
I used Let’s Encrypt to generate certificates, so I have 4 files :
privkey.pem --> Private Key cert.pem --> Public Key chain.pem --> Certificate Chain fullchain.pem --> Concatenation of cert.pem and chain.pem
Current, not working, apache 2.4.33 vhost configuration :
<VirtualHost *:80> SSLProxyEngine On SSLProxyVerify require SSLCertificateFile path/fullchain.pem SSLCertificateKeyFile path/privkey.pem SSLProxyMachineCertificateChainFile path/fullchain.pem SSLProxyCACertificateFile path/fullchain.pem # mydomain.certandkey.pem is a concatenation of cert.pem and privkey.pem SSLProxyMachineCertificateFile mydomain.certandkey.pem ProxyRequests Off RewriteEngine On #ProxyPreserveHost On #<Proxy *> #Order deny,allow #Allow from all #</Proxy> ProxyPass / https://external.server.com/ ProxyPassReverse / https://external.server.com/ </VirtualHost>
The apache error log is
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?) [date] [ssl:emerg] [pid 76986] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed
It seems to come from
SSLProxyMachineCertificateFile
as it goes away when I comment the corresponding line (but connection doesn’t doesn’t work).Does any one have an idea how to fix this or meet a similar connection situation ?
I’ve spent my last two days looking over the internet and trying many configurations, it drives me crazy.
Thank you very much.
Answer
You are trying to use certificates that can’t be used for this purpose.
Quote from the Apache documentation for SSLProxyMachineCertificateFile
File of concatenated PEM-encoded client certificates and keys to be used by the proxy
(highlighting by me)
From the Let’s Encrypt FAQ:
Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?
Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.
Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue.
Client auth falls into the email encryption and code sigining category. The certificates need to be created for this purpose. Let’s Encrypt certificates are for server use only.
Attribution
Source : Link , Question Author : tristao , Answer Author : Community