1

I'm trying to make this setup work :

  • Reverse proxy : SSL enabled and facing the internet using Let's Encrypt certificate (reverse-proxy.com).
  • Target : Site accessed via the reverse proxy with SSL enabled using internal certificate chain (target.internal).

So the connection should be :

  • Client to reverse proxy TLS handshake
  • Reverse proxy to target TLS handshake [failling]

What did I did good :

  • Adding my root CA certificate to the proxy server
  • Adding certificate, key and chain to the target
  • trying successfully openssl s_client -connect target.internal:443 -prexit -CAfile /var/certs/root-ca.crt from the reverse-proxy

But Apache is failing because when trying to connect to "target.internal", it want to find the hostname "reverse-proxy.com" in the target certificate, while the target certificate was made for "target.internal".

I have this error in my log :

Cert does not match for name 'reverse-proxy.com'

It print this after successfully walking the certificate chain from "root-ca.crt" down to "target.internal.crt".

I don't get why Apache isn't looking for a certificate made for "target.internal".

Someone have an idea ? Thanks you.

EDIT :

Listen 0.0.0.0:443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

<VirtualHost _default_:443>

        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel trace1

        SSLEngine on
        SSLProxyEngine on
        SSLProxyCACertificateFile /var/certs/root-ca.crt

        SSLProtocol -all +TLSv1.2 
        SSLCipherSuite HIGH:!SSLv3:!kRSA:!kECDH:!ADH:!DSS

        SSLCertificateFile /etc/letsencrypt/live/reverse-proxy.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/reverse-proxy.com/privkey.pem

        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
            SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \                                                                                                                       
         downgrade-1.0 force-response-1.0                                                                                                                         

        CustomLog logs/ssl_request_log \                                                                                                                          
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"                                                                                                       

        ServerName reverse-proxy.com                                                                                                                              
        SSLCertificateChainFile /etc/letsencrypt/live/reverse-proxy.com/chain.pem                                                                                                                                                                                              

        ProxyPreserveHost On                                                                                                                                                                                                                                                   
        RewriteEngine On                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     

        RewriteRule         ^/stuff/(.*)$     https://target.internal/$1 [P]                                                                                                                                                                                                     
        ProxyPassReverse    /stuff/           https://target.internal/                                                                                                                                                                                                           

</VirtualHost>
MathieuR
  • 141
  • 1
  • 6
  • Can you post your config? – Joshua Griffiths Nov 10 '17 at 21:12
  • apache uses the cert you have configured in the virtualhost receiving the requests. – Daniel Ferradal Nov 11 '17 at 13:11
  • Hello, thanks you for your answer. Sorry for not answering sooner, I wanted to write my question before leaving for week end as it was still fresh in my mind. Unfortunately I can't access my company's server from my home, so this has to wait until now. – MathieuR Nov 13 '17 at 08:15

0 Answers0