[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: [users@httpd] Apache 2.4.53 error AH02411 although hostname matches subjectAltName
From: Valeriy Zabawski <dziki7jam () gmail ! com>
Date: 2022-04-06 15:37:58
Message-ID: CAEeO0__hS56=bBcYRW2vRevnSg5aL2kC3jhQZvFLvd9M8V-XOQ () mail ! gmail ! com
[Download RAW message or body]
Hello everyone,
I have an InfluxDB cluster behind Apache HTTPD. HTTPD encrypts traffic
between client and HTTPD with a certificate issued by corporate CA.
Originally, traffic from HTTPD was proxied using http, but recently I've
decided to encrypt it with a self-signed cert. After enabling encryption
between InfluxDB cluster nodes, I've added self-signed CA to Apache config.
However, if I set SSLProxyCheckPeerName to "on", I get error AH02411.
SSLProxyCheckPeerCN is set to "off". Running Curl with the came CA
certificate works, so it seems like HTTPD checks CN and SAN differently
than Curl.
InluxDB hostname:
influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local
Certificate CN is "*.example.svc.cluster.local" and it doesn't match the
hostname, but in subjectAltName it has "*.example.svc.cluster.local" and
"influxdb-oss-*.example-influxdb-oss.example.svc.cluster.local", which
matches the hostname. My environment has multiple InfluxDB instances, so I
can't set 1 CN, instead I use subjectAltName.
Here's an excerpt from my HTTPD configuration:
<VirtualHost *:8443>
SSLEngine on
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
SSLProxyEngine on
SSLProxyVerify require
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName on
SSLProxyCACertificateFile
"/usr/local/apache2/conf/influxdb-selfsigned-ca.crt"
<Proxy "balancer://example-influxdb-oss">
BalancerMember "
https://influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local:8086"
</Proxy>
<Location "/ping">
ProxyPass "balancer://example-influxdb-oss/ping"
ProxyPassReverse "balancer://example-influxdb-oss/ping"
</Location>
</VirtualHost>
Is there any way to make my configuration work with hostname matching
subjectAltName instead of CN?
Thanks in advance.
[Attachment #3 (text/html)]
<div dir="ltr"><div><div><div>Hello everyone,<br><br></div>I have an InfluxDB cluster \
behind Apache HTTPD. HTTPD encrypts traffic between client and HTTPD with a \
certificate issued by corporate CA. Originally, traffic from HTTPD was proxied using \
http, but recently I've decided to encrypt it with a self-signed cert. After \
enabling encryption between InfluxDB cluster nodes, I've added self-signed CA to \
Apache config. However, if I set SSLProxyCheckPeerName to "on", I get error \
AH02411. SSLProxyCheckPeerCN is set to "off". Running Curl with the came CA \
certificate works, so it seems like HTTPD checks CN and SAN differently than \
Curl.<br></div><br></div><div>InluxDB hostname: \
influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local<br></div><div>Certificate \
CN is "*.example.svc.cluster.local" and it doesn't match the hostname, \
but in subjectAltName it has "*.example.svc.cluster.local" and \
"influxdb-oss-*.example-influxdb-oss.example.svc.cluster.local", which \
matches the hostname. My environment has multiple InfluxDB instances, so I can't \
set 1 CN, instead I use subjectAltName.</div><div><br></div><div>Here's an \
excerpt from my HTTPD configuration:<br><VirtualHost *:8443><br> SSLEngine \
on<br> SSLCertificateFile "/usr/local/apache2/conf/server.crt"<br> \
SSLCertificateKeyFile \
"/usr/local/apache2/conf/server.key"<br></div><div><br> SSLProxyEngine \
on<br> SSLProxyVerify require<br> SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1<br> \
SSLProxyCheckPeerCN off<br> SSLProxyCheckPeerName on<br> \
SSLProxyCACertificateFile \
"/usr/local/apache2/conf/influxdb-selfsigned-ca.crt"<br><br> <Proxy \
"balancer://example-influxdb-oss"><br> BalancerMember "<a \
href="https://influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local:8086">http \
s://influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local:8086</a>"<br> \
</Proxy><br> <Location "/ping"><br> ProxyPass \
"balancer://example-influxdb-oss/ping"<br> ProxyPassReverse \
"balancer://example-influxdb-oss/ping"<br> \
</Location></div><div></VirtualHost><br><br></div><div>Is there any way \
to make my configuration work with hostname matching subjectAltName instead of \
CN?<br></div><div>Thanks in advance.<br></div><div><br></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic