'[users@httpd] Apache 2.4.53 error AH02411 although hostname matches subjectAltName'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    [users@httpd] Apache 2.4.53 error AH02411 although hostname matches subjectAltName
From:       Valeriy Zabawski <dziki7jam () gmail ! com>
Date:       2022-04-06 15:37:58
Message-ID: CAEeO0__hS56=bBcYRW2vRevnSg5aL2kC3jhQZvFLvd9M8V-XOQ () mail ! gmail ! com
[Download RAW message or body]

Hello everyone,

I have an InfluxDB cluster behind Apache HTTPD. HTTPD encrypts traffic
between client and HTTPD with a certificate issued by corporate CA.
Originally, traffic from HTTPD was proxied using http, but recently I've
decided to encrypt it with a self-signed cert. After enabling encryption
between InfluxDB cluster nodes, I've added self-signed CA to Apache config.
However, if I set SSLProxyCheckPeerName to "on", I get error AH02411.
SSLProxyCheckPeerCN is set to "off". Running Curl with the came CA
certificate works, so it seems like HTTPD checks CN and SAN differently
than Curl.

InluxDB hostname:
influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local
Certificate CN is "*.example.svc.cluster.local" and it doesn't match the
hostname, but in subjectAltName it has "*.example.svc.cluster.local" and
"influxdb-oss-*.example-influxdb-oss.example.svc.cluster.local", which
matches the hostname. My environment has multiple InfluxDB instances, so I
can't set 1 CN, instead I use subjectAltName.

Here's an excerpt from my HTTPD configuration:
<VirtualHost *:8443>
  SSLEngine on
  SSLCertificateFile    "/usr/local/apache2/conf/server.crt"
  SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

  SSLProxyEngine on
  SSLProxyVerify require
  SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName on
  SSLProxyCACertificateFile
"/usr/local/apache2/conf/influxdb-selfsigned-ca.crt"

  <Proxy "balancer://example-influxdb-oss">
    BalancerMember "
https://influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local:8086"
  </Proxy>
  <Location "/ping">
    ProxyPass        "balancer://example-influxdb-oss/ping"
    ProxyPassReverse "balancer://example-influxdb-oss/ping"
  </Location>
</VirtualHost>

Is there any way to make my configuration work with hostname matching
subjectAltName instead of CN?
Thanks in advance.

[Attachment #3 (text/html)]

<div dir="ltr"><div><div><div>Hello everyone,<br><br></div>I have an InfluxDB cluster \
behind Apache HTTPD. HTTPD encrypts traffic between client and HTTPD with a \
certificate issued by corporate CA. Originally, traffic from HTTPD was proxied using \
http, but recently I&#39;ve decided to encrypt it with a self-signed cert. After \
enabling encryption between InfluxDB cluster nodes, I&#39;ve added self-signed CA to \
Apache config. However, if I set SSLProxyCheckPeerName to &quot;on&quot;, I get error \
AH02411. SSLProxyCheckPeerCN is set to &quot;off&quot;. Running Curl with the came CA \
certificate works, so it seems like HTTPD checks CN and SAN differently than \
Curl.<br></div><br></div><div>InluxDB hostname: \
influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local<br></div><div>Certificate \
CN is &quot;*.example.svc.cluster.local&quot; and it doesn&#39;t match the hostname, \
but in subjectAltName it has &quot;*.example.svc.cluster.local&quot; and \
&quot;influxdb-oss-*.example-influxdb-oss.example.svc.cluster.local&quot;, which \
matches the hostname. My environment has multiple InfluxDB instances, so I can&#39;t \
set 1 CN, instead I use subjectAltName.</div><div><br></div><div>Here&#39;s an \
excerpt from my HTTPD configuration:<br>&lt;VirtualHost *:8443&gt;<br>   SSLEngine \
on<br>   SSLCertificateFile      &quot;/usr/local/apache2/conf/server.crt&quot;<br>   \
SSLCertificateKeyFile \
&quot;/usr/local/apache2/conf/server.key&quot;<br></div><div><br>   SSLProxyEngine \
on<br>   SSLProxyVerify require<br>   SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1<br> \
SSLProxyCheckPeerCN off<br>   SSLProxyCheckPeerName on<br>   \
SSLProxyCACertificateFile \
&quot;/usr/local/apache2/conf/influxdb-selfsigned-ca.crt&quot;<br><br>   &lt;Proxy \
&quot;balancer://example-influxdb-oss&quot;&gt;<br>      BalancerMember &quot;<a \
href="https://influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local:8086">http \
s://influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local:8086</a>&quot;<br>  \
&lt;/Proxy&gt;<br>   &lt;Location &quot;/ping&quot;&gt;<br>      ProxyPass            \
&quot;balancer://example-influxdb-oss/ping&quot;<br>      ProxyPassReverse \
&quot;balancer://example-influxdb-oss/ping&quot;<br>   \
&lt;/Location&gt;</div><div>&lt;/VirtualHost&gt;<br><br></div><div>Is there any way \
to make my configuration work with hostname matching subjectAltName instead of \
CN?<br></div><div>Thanks in advance.<br></div><div><br></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic