Hi,
having configured a reverse proxy based on Apache2, I installed a properly signed (by the well known Telekom AG CA) certificate. Mozilla Firefox and Google Chrome assert that the TLS-connection is secure.
SSLProxyEngine on
SSLProxyCheckPeerCN off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://datashield.research.dhm.mhn.de:8443/
ProxyPassReverse / https://datashield.research.dhm.mhn.de:8443/
From a remote server I can establish a OPAL-connection in R:
> library(opalr)
Loading required package: httr
> o <- opal.login(username = "administrator", password = "SECRET", url = "https://datashield.research.dhm.mhn.de")
Locally, on the datashield/Opal server, I can’t connect. Neither on the Apache-reverse proxy, port 443
> library(opalr)
Loading required package: httr
> o <- opal.login(username = "administrator", password = "SECRET", url = "https://datashield.research.dhm.mhn.de")
Error in curl::curl_fetch_memory(url, handle = handle) :
SSL certificate problem: unable to get local issuer certificate
nor directly on the OPAL listening port 8443, though, the definite SSL error message differs:
> library(opalr)
Loading required package: httr
> o <- opal.login(username = "administrator", password = "SECRET", url = "https://datashield.research.dhm.mhn.de:8443")
Error in curl::curl_fetch_memory(url, handle = handle) :
SSL certificate problem: self signed certificate
(1) Why should the connection on port 443 with the reverse proxy not work locally, and complain about not finding the certificate, if it works remotely?
(2) I don’t understand why the local connection complains about a self-signed certificate. I removed the distribution-created “snakeoil” certificate and key file.
The apache2 error log, /var/log/apache2/error.log, shows:
[Thu Feb 24 11:21:57.639457 2022] [ssl:warn] [pid 23610:tid 139780264236800] AH02268: Proxy client certificate callback: (datashield.research.dhm.mhn.de:443) downstream server wanted client certificate but none are configured
When I added in the proxy configuration section
SSLProxyMachineCertificateFile /etc/ssl/certs/datashield.research.dhm.mhn.pem
Apache2 complains about
[Thu Feb 24 11:26:38.646484 2022] [mpm_event:notice] [pid 23608:tid 139780514364480] AH00491: caught SIGTERM, shutting down
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
Therefore I combined the certificate pem-file and key-file into one pem-file:
cat /etc/ssl/certs/datashield.research.dhm.mhn.pem /etc/ssl/private/datashield.research.dhm.mhn.key > /etc/ssl/certs/datashield.research.dhm.mhn-withkey.pem
The end of line characters are “^M” in the combined file, if that makes a differences.
And configuring this in the proxy reverse section:
# Reverse proxy configuration
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyMachineCertificateFile /etc/ssl/certs/datashield.research.dhm.mhn-withkey.pem
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://datashield.research.dhm.mhn.de:8443/
ProxyPassReverse / https://datashield.research.dhm.mhn.de:8443/
This did not solv the Apache2 problem, and the reported error was the same:
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
[Thu Feb 24 11:29:59.619826 2022] [ssl:emerg] [pid 23974:tid 140354068458560] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
How can this (local) reverse proxy be solved?
Best regards,
Sven