How to connect through SSL to server requiring certificate exchange via an apache proxy?

Question

I need to connect to an external server via SSL which only accepts certificates exchange following this architecture :

Client (my Nodejs server) -----http-----> (Reverse?) Proxy ----https-----> External Server asking for certificate.

I don't own the external server, but they have my certificates installed in their system.

I used Let's Encrypt to generate certificates, so I have 4 files :

privkey.pem --> Private Key
cert.pem --> Public Key
chain.pem --> Certificate Chain
fullchain.pem --> Concatenation of cert.pem and chain.pem

Current, not working, apache 2.4.33 vhost configuration :

<VirtualHost *:80>
    SSLProxyEngine On
    SSLProxyVerify require

    SSLCertificateFile path/fullchain.pem
    SSLCertificateKeyFile path/privkey.pem

    SSLProxyMachineCertificateChainFile path/fullchain.pem
    SSLProxyCACertificateFile path/fullchain.pem
    # mydomain.certandkey.pem is a concatenation of cert.pem and privkey.pem
    SSLProxyMachineCertificateFile mydomain.certandkey.pem

    ProxyRequests Off
    RewriteEngine On
    #ProxyPreserveHost On
    #<Proxy *>
    #Order deny,allow
    #Allow from all
    #</Proxy>

    ProxyPass / https://external.server.com/
    ProxyPassReverse / https://external.server.com/
</VirtualHost>

The apache error log is

AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
[date] [ssl:emerg] [pid 76986] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

It seems to come from SSLProxyMachineCertificateFile as it goes away when I comment the corresponding line (but connection doesn't doesn't work).

Does any one have an idea how to fix this or meet a similar connection situation ?

I've spent my last two days looking over the internet and trying many configurations, it drives me crazy.

Thank you very much.

Answer 1

Based from the error, the private key is encrypted. For the reverse proxy to use the client cert, the private key needs to be decrypted.

Example:

openssl rsa -in my.key -out dec.key       
Enter pass phrase for my.key:
writing RSA key

SSLProxyMachineCertificateFile Directive

Currently there is no support for encrypted private keys

Answer 2

You are trying to use certificates that can't be used for this purpose.

Quote from the Apache documentation for SSLProxyMachineCertificateFile

File of concatenated PEM-encoded client certificates and keys to be used by the proxy

_{(highlighting by me)}

From the Let's Encrypt FAQ:

Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?

Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.

Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue.

Client auth falls into the email encryption and code sigining category. The certificates need to be created for this purpose. Let's Encrypt certificates are for server use only.