Otdfbt

What is the role of the transistor and diode in a soft start circuit?

Is it ethical to give a final exam after the professor has quit before teaching the remaining chapters of the course?

Why aren't air breathing engines used as small first stages

Using et al. for a last / senior author rather than for a first author

What's the purpose of writing one's academic biography in the third person?

How to run gsettings for another user Ubuntu 18.04.2 LTS

Overriding an object in memory with placement new

Why didn't this character "real die" when they blew their stack out in Altered Carbon?

How to call a function with default parameter through a pointer to function that is the return of another function?

3 doors, three guards, one stone

Why is "Consequences inflicted." not a sentence?

Why is my conclusion inconsistent with the van't Hoff equation?

What LEGO pieces have "real-world" functionality?

Can a non-EU citizen traveling with me come with me through the EU passport line?

What does the word "veer" mean here?

Is there a (better) way to access $wpdb results?

Output the ŋarâþ crîþ alphabet song without using (m)any letters

List of Python versions

Why are there no cargo aircraft with "flying wing" design?

What is Arya's weapon design?

51k Euros annually for a family of 4 in Berlin: Is it enough?

At the end of Thor: Ragnarok why don't the Asgardians turn and head for the Bifrost as per their original plan?

How to bypass password on Windows XP account?

Apollo command module space walk?

2-way SSL with apache forward proxy

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

1

I'm working to set up Apache as a forward proxy with a client that uses 2-way SSL. The basic flow is myApplication --via http--> Apache proxy --via 2 way SSL--> client. After setting everything up, when I try to start Apache, I'm getting a "incomplete client cert configured for SSL proxy (missing or encrypted private key?)" error. What I can't figure out is that the client cert I'm using in the SSLProxyMachineCertificateFile directive has both the unencrypted private key and the public cert already. Any suggestions on what I'm missing and/or anything else I can try? Does the all-in-one machine cert need to have the chain in it as well?

Here's what my vhost looks like.

<VirtualHost *:8082>
 ServerName my.domain.com

 ProxyRequests On
 SSLProxyEngine On

 SSLProxyMachineCertificateFile /etc/httpd/keys/machine.pem
 SSLProxyCACertificateFile /etc/httpd/keys/machine.chain.crt

 ProxyPass / https://target.client.com/
 ProxyPassReverse / https://target.client.com/

 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
</VirtualHost>

EDIT: I updated the basic flow to clarify what kind of connection I'm trying to use between the application, apache, and the client.

apache-2.2 ssl proxy forwarding virtualhost

share|improve this question

edited Oct 15 '13 at 15:24

Mike Levy

asked Oct 15 '13 at 4:58

Mike LevyMike Levy

150126

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  what is 2-way-SSL?
  
  – that guy from over there
  Oct 15 '13 at 5:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is the private key in machine.pem DES encrypted (the default when generating)?
  
  – Shane Madden♦
  Oct 15 '13 at 6:11
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The all-in-one machine cert should not need to have the chain in it. I would start by trying to connect using without apache, e.g. by doing openssl s_client -connect remoteserver:443 -cert /etc/httpd/keys/machine.pem. The output from that should give you some hint.
  
  – Jenny D
  Oct 15 '13 at 7:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ShaneMadden I'm going to say yes. When I generated the key and csr it was a pretty standard generation process and I didn't put a password on the private key.
  
  – Mike Levy
  Oct 15 '13 at 14:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @JennyD I tried out your suggestion and was able to successfully connect to the remote server using machine.pem. However, I still can't start Apache when using machine.pem as the SSLProxyMachineCertificateFile.
  
  – Mike Levy
  Oct 15 '13 at 15:04
  

  
  
  
  

 | 
show 3 more comments

2

1

I'm working to set up Apache as a forward proxy with a client that uses 2-way SSL. The basic flow is myApplication --via http--> Apache proxy --via 2 way SSL--> client. After setting everything up, when I try to start Apache, I'm getting a "incomplete client cert configured for SSL proxy (missing or encrypted private key?)" error. What I can't figure out is that the client cert I'm using in the SSLProxyMachineCertificateFile directive has both the unencrypted private key and the public cert already. Any suggestions on what I'm missing and/or anything else I can try? Does the all-in-one machine cert need to have the chain in it as well?

Here's what my vhost looks like.

<VirtualHost *:8082>
 ServerName my.domain.com

 ProxyRequests On
 SSLProxyEngine On

 SSLProxyMachineCertificateFile /etc/httpd/keys/machine.pem
 SSLProxyCACertificateFile /etc/httpd/keys/machine.chain.crt

 ProxyPass / https://target.client.com/
 ProxyPassReverse / https://target.client.com/

 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
</VirtualHost>

EDIT: I updated the basic flow to clarify what kind of connection I'm trying to use between the application, apache, and the client.

apache-2.2 ssl proxy forwarding virtualhost

share|improve this question

edited Oct 15 '13 at 15:24

Mike Levy

asked Oct 15 '13 at 4:58

Mike LevyMike Levy

150126

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  what is 2-way-SSL?
  
  – that guy from over there
  Oct 15 '13 at 5:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is the private key in machine.pem DES encrypted (the default when generating)?
  
  – Shane Madden♦
  Oct 15 '13 at 6:11
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The all-in-one machine cert should not need to have the chain in it. I would start by trying to connect using without apache, e.g. by doing openssl s_client -connect remoteserver:443 -cert /etc/httpd/keys/machine.pem. The output from that should give you some hint.
  
  – Jenny D
  Oct 15 '13 at 7:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ShaneMadden I'm going to say yes. When I generated the key and csr it was a pretty standard generation process and I didn't put a password on the private key.
  
  – Mike Levy
  Oct 15 '13 at 14:50
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @JennyD I tried out your suggestion and was able to successfully connect to the remote server using machine.pem. However, I still can't start Apache when using machine.pem as the SSLProxyMachineCertificateFile.
  
  – Mike Levy
  Oct 15 '13 at 15:04
  

  
  
  
  

 | 
show 3 more comments

I'm working to set up Apache as a forward proxy with a client that uses 2-way SSL. The basic flow is myApplication --via http--> Apache proxy --via 2 way SSL--> client. After setting everything up, when I try to start Apache, I'm getting a "incomplete client cert configured for SSL proxy (missing or encrypted private key?)" error. What I can't figure out is that the client cert I'm using in the SSLProxyMachineCertificateFile directive has both the unencrypted private key and the public cert already. Any suggestions on what I'm missing and/or anything else I can try? Does the all-in-one machine cert need to have the chain in it as well?

Here's what my vhost looks like.

<VirtualHost *:8082>
 ServerName my.domain.com

 ProxyRequests On
 SSLProxyEngine On

 SSLProxyMachineCertificateFile /etc/httpd/keys/machine.pem
 SSLProxyCACertificateFile /etc/httpd/keys/machine.chain.crt

 ProxyPass / https://target.client.com/
 ProxyPassReverse / https://target.client.com/

 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
</VirtualHost>

EDIT: I updated the basic flow to clarify what kind of connection I'm trying to use between the application, apache, and the client.

apache-2.2 ssl proxy forwarding virtualhost

share|improve this question

edited Oct 15 '13 at 15:24

Mike Levy

asked Oct 15 '13 at 4:58

Mike LevyMike Levy

150126

<VirtualHost *:8082>
 ServerName my.domain.com

 ProxyRequests On
 SSLProxyEngine On

 SSLProxyMachineCertificateFile /etc/httpd/keys/machine.pem
 SSLProxyCACertificateFile /etc/httpd/keys/machine.chain.crt

 ProxyPass / https://target.client.com/
 ProxyPassReverse / https://target.client.com/

 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
</VirtualHost>

share|improve this question

edited Oct 15 '13 at 15:24

Mike Levy

asked Oct 15 '13 at 4:58

Mike LevyMike Levy

150126

share|improve this question

edited Oct 15 '13 at 15:24

Mike Levy

asked Oct 15 '13 at 4:58

Mike LevyMike Levy

150126

asked Oct 15 '13 at 4:58

Mike LevyMike Levy

150126

asked Oct 15 '13 at 4:58

Mike LevyMike Levy

150126

1 Answer
1

active

oldest

votes

0

Your PEM file is not the correct format. Checkout this post.

http://projectzme.wordpress.com/2013/02/02/tip-sslproxymachinecertificatefile-returns-missing-or-encrypted-private-key/

share|improve this answer

answered Dec 13 '14 at 0:04

annonymousannonymous

11

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f546020%2f2-way-ssl-with-apache-forward-proxy%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Your PEM file is not the correct format. Checkout this post.

http://projectzme.wordpress.com/2013/02/02/tip-sslproxymachinecertificatefile-returns-missing-or-encrypted-private-key/

share|improve this answer

answered Dec 13 '14 at 0:04

annonymousannonymous

11

add a comment | 

0

Your PEM file is not the correct format. Checkout this post.

http://projectzme.wordpress.com/2013/02/02/tip-sslproxymachinecertificatefile-returns-missing-or-encrypted-private-key/

share|improve this answer

answered Dec 13 '14 at 0:04

annonymousannonymous

11

add a comment | 

Your PEM file is not the correct format. Checkout this post.

http://projectzme.wordpress.com/2013/02/02/tip-sslproxymachinecertificatefile-returns-missing-or-encrypted-private-key/

share|improve this answer

answered Dec 13 '14 at 0:04

annonymousannonymous

11

share|improve this answer

answered Dec 13 '14 at 0:04

annonymousannonymous

11

answered Dec 13 '14 at 0:04

annonymousannonymous

11

answered Dec 13 '14 at 0:04

annonymousannonymous

11