In my apache web-server there is a path where clients must authenticate with a valid certificate.
Sometimes there is a client (a soap - webservice) that can't connect, my apache return 403 "sslv3 alert bad certificate (SSL alert number 42) -- Subject CN in certificate not server name or identical to CA!?" and I need to check why and which certificate it is using.
I setup trace3 loglevel for mod_ssl and a customlog like this:
CustomLog /var/log/httpd-ssl.log "%t %h \"%{User-agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s \"%{SSL_CLIENT_S_DN_CN}x\" <<<%{SSL_CLIENT_CERT}x>>>"
<IfModule mod_ssl.c>
ErrorLog /var/log/apache2/ssl_engine.log
LogLevel trace3
</IfModule>
In the first file log I can see all the informations of client that can connect but when the client fail there aren't the useful information:
[16/Feb/2019:11:01:43 +0100] XXX.XXX.XXX.XXX "IBM WebServices/1.0" - - "POST MYSECRETPATH HTTP/1.1" 403 "-" <<<->>>
In the second one I can see some information like:
[Thu Feb 21 13:57:55.288418 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(359): [client xxx.xxx.xxx.xxx:56892] AH02034: Initial (No.1) HTTPS request received for child 5 (server XXX.XXX.XXX:443)
[Thu Feb 21 13:57:55.288591 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(743): [client xxx.xxx.xxx.xxx:56892] AH02255: Changed client verification type will force renegotiation
[Thu Feb 21 13:57:55.557866 2019] [ssl:info] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02221: Requesting connection re-negotiation
[Thu Feb 21 13:57:55.557902 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(970): [client xxx.xxx.xxx.xxx:56892] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Feb 21 13:57:55.557919 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1988): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Handshake: start
[Thu Feb 21 13:57:55.557932 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSL renegotiate ciphers
[Thu Feb 21 13:57:55.557948 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write hello request A
[Thu Feb 21 13:57:55.557978 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 flush data
[Thu Feb 21 13:57:55.557986 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write hello request C
[Thu Feb 21 13:57:55.557996 2019] [ssl:info] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02226: Awaiting re-negotiation handshake
[Thu Feb 21 13:57:55.558005 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1988): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Handshake: start
[Thu Feb 21 13:57:55.558016 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: before accept initialization
[Thu Feb 21 13:57:55.590106 2019] [ssl:debug] [pid 99609] ssl_engine_kernel.c(2141): [client xxx.xxx.xxx.xxx:56892] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Thu Feb 21 13:57:55.590134 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 read client hello A
[Thu Feb 21 13:57:55.590146 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write server hello A
[Thu Feb 21 13:57:55.590177 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write certificate A
[Thu Feb 21 13:57:55.590190 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 write certificate request A
[Thu Feb 21 13:57:55.590217 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(1996): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Loop: SSLv3 flush data
[Thu Feb 21 13:57:55.887495 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(2001): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Read: SSLv3 read client certificate A
[Thu Feb 21 13:57:55.887530 2019] [ssl:trace3] [pid 99609] ssl_engine_kernel.c(2020): [client xxx.xxx.xxx.xxx:56892] OpenSSL: Exit: failed in SSLv3 read client certificate A
[Thu Feb 21 13:57:55.887538 2019] [ssl:error] [pid 99609] [client xxx.xxx.xxx.xxx:56892] AH02261: Re-negotiation handshake failed
[Thu Feb 21 13:57:55.887567 2019] [ssl:error] [pid 99609] SSL Library Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (SSL alert number 42) -- Subject CN in certificate not server name or identical to CA!?
[Thu Feb 21 13:57:55.887578 2019] [core:trace3] [pid 99609] request.c(117): [client xxx.xxx.xxx.xxx:56892] auth phase 'check access (with Satisfy All)' gave status 403: /my/secret/path
[Thu Feb 21 13:57:55.887611 2019] [http:trace3] [pid 99609] http_filters.c(1003): [client xxx.xxx.xxx.xxx:56892] Response sent with status 403
But there isn't something real useful.
I want to log/write the certificate that apache is reading and not accepting. How can I log it ?
You can enable SSL debugging logs in your Application Server JVM config by adding the following JVM command line parameter and restart the Application Server:
-Djavax.net.debug=all
Depending on your WAS version, adding the above parameter is typically done by navigating to WAS Admin Console > Servers > Application Servers > YourServer > Process Management > Java Virtual Machine > Generic JVM arguments
Related
I am trying to setup the following:
User ---https---> Apache ---http---> Company Proxy ---https---> Third party webserver (nginx)
The Apache must send an SSL client certificate for authentication by the webserver.
I am using Apache 2.4.41 / OpenSSL 1.1.1d.
If I am testing the setup with curl and sending the SSL client cert to the webserver via the company
(i.e. bypassing the Apache), it works perfectly. However, if I am using curl to connect to the Apache,
it fails.
I have configured (relevant parts only) as an Apache VHost
===
ServerName test1.company.com:5140
SSLEngine on
KeepAlive on
SSLProxyEngine On
SSLProxyCheckPeerCN off
SSLProxyVerify none
SSLProxyCheckPeerName off
SSLProxyCACertificateFile conf/ssl/ca-bundle-proxy.crt
# client certificate (contains unencrypted concatenated private key and server certificate)
SSLProxyMachineCertificateFile ssl.client
ProxyRemote "*" "http://proxy.company.de:8080"
ProxyTimeout 30
Timeout 30
# explicity required
ProxyPreserveHost Off
<Location /mycontext>
ProxyPass https://www.thirdparty.com:443/mycontext
ProxyPassReverse https://www.thirdparty.com:443/mycontext
</Location>
I get in the logfile (extract):
[Mon Mar 23 14:18:26.150538 2020] [ssl:trace4] [pid 116307:tid 140486627026688] ssl_engine_io.c(2212): [remote proxy.company.com:8080] OpenSSL: read 5/5 bytes from BIO#7fc57000ddb0 [mem: 7fc57002f863] (BIO dump follows)
[Mon Mar 23 14:18:26.150558 2020] [ssl:trace4] [pid 116307:tid 140486627026688] ssl_engine_io.c(2212): [remote proxy.company.com:8080] OpenSSL: read 117/204 bytes from BIO#7fc57000ddb0 [mem: 7fc57002f868] (BIO dump follows)
[Mon Mar 23 14:18:26.165597 2020] [ssl:trace4] [pid 116307:tid 140486627026688] ssl_engine_io.c(2212): [remote proxy.company.com:8080] OpenSSL: read 87/87 bytes from BIO#7fc57000ddb0 [mem: 7fc57002f8dd] (BIO dump follows)
[Mon Mar 23 14:18:26.165643 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read server key exchange
[Mon Mar 23 14:18:26.165687 2020] [ssl:debug] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(1943): AH02267: Proxy client certificate callback: (test1.company.com:5140) entered
[Mon Mar 23 14:18:26.165691 2020] [ssl:debug] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2013): AH02269: Proxy client certificate callback: (test1.company.com:5140) no client certificate found!?
[Mon Mar 23 14:18:26.165708 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read server certificate request
[Mon Mar 23 14:18:26.165712 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read server done
[Mon Mar 23 14:18:26.165722 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS write client certificate
[Mon Mar 23 14:18:26.165881 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS write client key exchange
[Mon Mar 23 14:18:26.165910 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS write change cipher spec
[Mon Mar 23 14:18:26.165947 2020] [ssl:trace4] [pid 116307:tid 140486627026688] ssl_engine_io.c(2212): [remote proxy.company.com:8080] OpenSSL: write 138/138 bytes to BIO#7fc57000e190 [mem: 7fc57002a5a0] (BIO dump follows)
[Mon Mar 23 14:18:26.235214 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read change cipher spec
[Mon Mar 23 14:18:26.235242 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2192): [remote proxy.company.com:8080] OpenSSL: Loop: SSLv3/TLS read finished
[Mon Mar 23 14:18:26.235254 2020] [ssl:trace3] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2187): [remote proxy.company.com:8080] OpenSSL: Handshake: done
[Mon Mar 23 14:18:26.235265 2020] [ssl:debug] [pid 116307:tid 140486627026688] ssl_engine_kernel.c(2236): [remote proxy.company.com:8080] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
The output of curl via the Apache :
< HTTP/1.1 400 Bad Request
< Date: Mon, 23 Mar 2020 13:18:26 GMT
< Server: nginx
< Content-Type: text/html
< Content-Length: 246
< Connection: close
<
<html>
<head><title>400 No required SSL certificate was sent</title></head>
Questions:
Why does it say "no client certificate found!?" and "write client certificate" ? It's a little bit confusing.
As far as I know, the exchange of the SSL client certificate is done in the SSL handshake. How can the handshake be completed if there is an error with sending the client cert?
Does anybody have an idea what needs to be changed in the Apache configuration to get this working?
Any help is greatly appreciated.
Thanks
Christian
Why does it say "no client certificate found!?" and "write client certificate" ? It's a little bit confusing.
If the server requested a client certificate the client will send the requested Certificate record. But this might contain nothing (i.e. 0 certificates).
As far as I know, the exchange of the SSL client certificate is done in the SSL handshake. How can the handshake be completed if there is an error with sending the client cert?
A client certificate can be mandatory or optional. The client cannot see if it is mandatory or not, only that a certificate is requested. The server or application might decide to check if the certificate is the expected one after the handshake itself is completed. Only if the handshake is completed the client can send a HTTP request and get a HTTP response with the comparably nice error message. Otherwise the client would just get a strange handshake error.
Does anybody have an idea what needs to be changed in the Apache configuration to get this working?
The config you present looks actually good but the problem might be in the details. For example the certificate file might be wrong so that a certificate and key cannot actually be found inside. Hard to tell without having a look at these kind of details. Or the certificate does not match the list of CA the server presented as possible issuers for the client certificate.
I make following the post https://www to https://no-www redirection.
I have finally managed to generate a wildcard certificate *.website.com which allows me with rewrite rules to get redirection to https://website.com from initially https://www.website.com.
Now, I am faced to another issue: my CGI scripts in cgi-bin directory are not working anymore like for example: https://website.com/cgi-bin/awstats.pl
I am using the following rewrite rules to get https://www.website.com to https://webiste.com (using zope framework behind apache) :
<VirtualHost *:443>
# Name
ServerAdmin admin#website.com
ServerName website.com
ServerAlias www.website.com
# LOG
CustomLog /var/log/apache2/access.log combined
# ACTIVATE SSL
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/website.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/website.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/website.com/chain.pem
# REWRITE
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/cgi-bin/awstats [NC]
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
RewriteRule ^/(.*) https://localhost:8443/++vh++https:%{SERVER_NAME}:443/++/$1 [P,L]
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
#CacheDisable *
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
Alias /awstatsclasses "/usr/share/awstats/lib/"
Alias /awstats-icon "/usr/share/awstats/icon/"
Alias /awstatscss "/usr/share/doc/awstats/examples/css"
<Directory "/usr/lib/cgi-bin/">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
SSLRequireSSL
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin admin#website.com
ServerName website.com
ServerAlias www.website.com
RewriteCond %{REQUEST_URI} ^/www\. [NC,OR]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
# Rewrite below works : redirect 80 => https
RewriteRule ^/(.*) https://website.com/$1 [R=301,L]
# For Zope
RewriteRule ^/(.*) http://localhost:9674/++vh++http:%{SERVER_NAME}:80/++/$1 [P,L]
</IfModule>
</VirtualHost>
It's pretty tricky but the result is that if I type : https://website.com/cgi-bin/awstats.pl, I get the equivalent of a 404 error of Apache2 but coming from Zope.
How to make work my CGI scripts again ?
It's frustrating from previous post : I have fixed the redirection https://www.website.com to https://website.com but right now, these are the CGI scripts which are no longer accessible.
Before the modifications about the redirection https://www to https://no-www, the scripts were available. I don't understand where it could come from.
Update 1
Output of Apache2:
[Sun Mar 01 10:49:33.445944 2020] [ssl:debug] [pid 9866] ssl_engine_kernel.c(383): [client 91.171.129.151:7825] AH02034: Subsequent (No.7) HTTPS request received for child 7 (server website.com:443), referer: https://website.com/style/style2.css
[Sun Mar 01 10:49:33.445986 2020] [authz_core:debug] [pid 9866] mod_authz_core.c(846): [client 91.171.129.151:7825] AH01628: authorization result: granted (no directives), referer: https://website.com/style/style2.css
[Sun Mar 01 10:49:33.446022 2020] [proxy:debug] [pid 9866] mod_proxy.c(1249): [client 91.171.129.151:7825] AH01143: Running scheme https handler (attempt 0), referer: https://website.com/style/style2.css
[Sun Mar 01 10:49:33.446032 2020] [proxy:debug] [pid 9866] proxy_util.c(2316): AH00942: HTTPS: has acquired connection for (*)
[Sun Mar 01 10:49:33.446041 2020] [proxy:debug] [pid 9866] proxy_util.c(2369): [client 91.171.129.151:7825] AH00944: connecting https://localhost:8443/++vh++https:website.com:443/++/images/up-arrow.png to localhost:8443, referer: https://website.com/style/style2.css
[Sun Mar 01 10:49:33.446204 2020] [proxy:debug] [pid 9866] proxy_util.c(2578): [client 91.171.129.151:7825] AH00947: connected /++vh++https:website.com:443/++/images/up-arrow.png to localhost:8443, referer: https://website.com/style/style2.css
[Sun Mar 01 10:49:33.446288 2020] [proxy:debug] [pid 9866] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:8443 (*)
[Sun Mar 01 10:49:33.446307 2020] [proxy:debug] [pid 9866] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:8443 (localhost)
[Sun Mar 01 10:49:33.446320 2020] [ssl:info] [pid 9866] [remote 127.0.0.1:8443] AH01964: Connection to child 0 established (server website.com:443)
[Sun Mar 01 10:49:33.454637 2020] [proxy:debug] [pid 9865] proxy_util.c(2331): AH00943: *: has released connection for (*)
[Sun Mar 01 10:49:33.454721 2020] [ssl:debug] [pid 9865] ssl_engine_io.c(1106): [remote 127.0.0.1:8443] AH02001: Connection closed to child 0 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:33.454772 2020] [proxy:debug] [pid 9865] proxy_util.c(3154): [remote 127.0.0.1:8443] AH02642: proxy: connection shutdown
[Sun Mar 01 10:49:33.459030 2020] [proxy:debug] [pid 9851] proxy_util.c(2331): AH00943: *: has released connection for (*)
[Sun Mar 01 10:49:33.459109 2020] [ssl:debug] [pid 9851] ssl_engine_io.c(1106): [remote 127.0.0.1:8443] AH02001: Connection closed to child 0 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:33.459144 2020] [ssl:debug] [pid 9866] ssl_engine_kernel.c(1740): [remote 127.0.0.1:8443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=website.com / issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US / serial: 033E19116893A728CDC809BA511D98069F7E / notbefore: Jun 29 23:22:00 2017 GMT / notafter: Sep 27 23:22:00 2017 GMT]
[Sun Mar 01 10:49:33.459161 2020] [proxy:debug] [pid 9851] proxy_util.c(3154): [remote 127.0.0.1:8443] AH02642: proxy: connection shutdown
[Sun Mar 01 10:49:33.459193 2020] [ssl:debug] [pid 9866] ssl_engine_kernel.c(1740): [remote 127.0.0.1:8443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=website.com / issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US / serial: 033E19116893A728CDC809BA511D98069F7E / notbefore: Jun 29 23:22:00 2017 GMT / notafter: Sep 27 23:22:00 2017 GMT]
[Sun Mar 01 10:49:33.463339 2020] [ssl:debug] [pid 9866] ssl_engine_kernel.c(2235): [remote 127.0.0.1:8443] AH02041: Protocol: TLSv1, Cipher: AES256-SHA (256/256 bits)
[Sun Mar 01 10:49:33.463411 2020] [proxy:debug] [pid 9853] proxy_util.c(2331): AH00943: *: has released connection for (*)
[Sun Mar 01 10:49:33.463486 2020] [ssl:debug] [pid 9853] ssl_engine_io.c(1106): [remote 127.0.0.1:8443] AH02001: Connection closed to child 0 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:33.463534 2020] [proxy:debug] [pid 9853] proxy_util.c(3154): [remote 127.0.0.1:8443] AH02642: proxy: connection shutdown
[Sun Mar 01 10:49:33.471527 2020] [proxy:debug] [pid 9866] proxy_util.c(2331): AH00943: *: has released connection for (*)
[Sun Mar 01 10:49:33.471590 2020] [ssl:debug] [pid 9866] ssl_engine_io.c(1106): [remote 127.0.0.1:8443] AH02001: Connection closed to child 0 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:33.471627 2020] [proxy:debug] [pid 9866] proxy_util.c(3154): [remote 127.0.0.1:8443] AH02642: proxy: connection shutdown
[Sun Mar 01 10:49:33.511179 2020] [ssl:debug] [pid 9853] ssl_engine_kernel.c(383): [client 91.171.129.151:7821] AH02034: Subsequent (No.8) HTTPS request received for child 4 (server website.com:443)
[Sun Mar 01 10:49:33.511249 2020] [authz_core:debug] [pid 9853] mod_authz_core.c(846): [client 91.171.129.151:7821] AH01628: authorization result: granted (no directives)
[Sun Mar 01 10:49:33.511303 2020] [proxy:debug] [pid 9853] mod_proxy.c(1249): [client 91.171.129.151:7821] AH01143: Running scheme https handler (attempt 0)
[Sun Mar 01 10:49:33.511332 2020] [proxy:debug] [pid 9853] proxy_util.c(2316): AH00942: HTTPS: has acquired connection for (*)
[Sun Mar 01 10:49:33.511343 2020] [proxy:debug] [pid 9853] proxy_util.c(2369): [client 91.171.129.151:7821] AH00944: connecting https://localhost:8443/++vh++https:website.com:443/++/favicon.ico to localhost:8443
[Sun Mar 01 10:49:33.511551 2020] [proxy:debug] [pid 9853] proxy_util.c(2578): [client 91.171.129.151:7821] AH00947: connected /++vh++https:website.com:443/++/favicon.ico to localhost:8443
[Sun Mar 01 10:49:33.511670 2020] [proxy:debug] [pid 9853] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:8443 (*)
[Sun Mar 01 10:49:33.511696 2020] [proxy:debug] [pid 9853] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:8443 (localhost)
[Sun Mar 01 10:49:33.511713 2020] [ssl:info] [pid 9853] [remote 127.0.0.1:8443] AH01964: Connection to child 0 established (server website.com:443)
[Sun Mar 01 10:49:33.512494 2020] [ssl:debug] [pid 9853] ssl_engine_kernel.c(1740): [remote 127.0.0.1:8443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=website.com / issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US / serial: 033E19116893A728CDC809BA511D98069F7E / notbefore: Jun 29 23:22:00 2017 GMT / notafter: Sep 27 23:22:00 2017 GMT]
[Sun Mar 01 10:49:33.512541 2020] [ssl:debug] [pid 9853] ssl_engine_kernel.c(1740): [remote 127.0.0.1:8443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=website.com / issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US / serial: 033E19116893A728CDC809BA511D98069F7E / notbefore: Jun 29 23:22:00 2017 GMT / notafter: Sep 27 23:22:00 2017 GMT]
[Sun Mar 01 10:49:33.517345 2020] [ssl:debug] [pid 9853] ssl_engine_kernel.c(2235): [remote 127.0.0.1:8443] AH02041: Protocol: TLSv1, Cipher: AES256-SHA (256/256 bits)
[Sun Mar 01 10:49:33.525382 2020] [proxy:debug] [pid 9853] proxy_util.c(2331): AH00943: *: has released connection for (*)
[Sun Mar 01 10:49:33.525443 2020] [ssl:debug] [pid 9853] ssl_engine_io.c(1106): [remote 127.0.0.1:8443] AH02001: Connection closed to child 0 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:33.525476 2020] [proxy:debug] [pid 9853] proxy_util.c(3154): [remote 127.0.0.1:8443] AH02642: proxy: connection shutdown
[Sun Mar 01 10:49:34.109743 2020] [watchdog:debug] [pid 9869] mod_watchdog.c(567): AH02980: Watchdog: nothing configured?
[Sun Mar 01 10:49:34.109885 2020] [proxy:debug] [pid 9869] proxy_util.c(1924): AH00925: initializing worker proxy:reverse shared
[Sun Mar 01 10:49:34.109901 2020] [proxy:debug] [pid 9869] proxy_util.c(1981): AH00927: initializing worker proxy:reverse local
[Sun Mar 01 10:49:34.109955 2020] [proxy:debug] [pid 9869] proxy_util.c(2032): AH00931: initialized single connection worker in child 9869 for (*)
[Sun Mar 01 10:49:34.110492 2020] [watchdog:debug] [pid 9870] mod_watchdog.c(567): AH02980: Watchdog: nothing configured?
[Sun Mar 01 10:49:34.110610 2020] [proxy:debug] [pid 9870] proxy_util.c(1924): AH00925: initializing worker proxy:reverse shared
[Sun Mar 01 10:49:34.110625 2020] [proxy:debug] [pid 9870] proxy_util.c(1981): AH00927: initializing worker proxy:reverse local
[Sun Mar 01 10:49:34.110674 2020] [proxy:debug] [pid 9870] proxy_util.c(2032): AH00931: initialized single connection worker in child 9870 for (*)
[Sun Mar 01 10:49:48.437276 2020] [ssl:debug] [pid 9864] ssl_engine_io.c(1106): [client 91.171.129.151:7823] AH02001: Connection closed to child 5 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:48.438985 2020] [ssl:debug] [pid 9849] ssl_engine_io.c(1106): [client 91.171.129.151:7822] AH02001: Connection closed to child 0 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:48.467248 2020] [ssl:debug] [pid 9865] ssl_engine_io.c(1106): [client 91.171.129.151:7824] AH02001: Connection closed to child 6 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:48.470814 2020] [ssl:debug] [pid 9851] ssl_engine_io.c(1106): [client 91.171.129.151:7820] AH02001: Connection closed to child 2 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:48.478015 2020] [ssl:debug] [pid 9866] ssl_engine_io.c(1106): [client 91.171.129.151:7825] AH02001: Connection closed to child 7 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:48.539212 2020] [ssl:debug] [pid 9853] ssl_engine_io.c(1106): [client 91.171.129.151:7821] AH02001: Connection closed to child 4 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:56.282123 2020] [ssl:info] [pid 9852] [client 127.0.0.1:49482] AH01964: Connection to child 3 established (server website.com:443)
[Sun Mar 01 10:49:56.282356 2020] [ssl:debug] [pid 9852] ssl_engine_kernel.c(2319): [client 127.0.0.1:49482] AH02043: SSL virtual host for servername website.com found
[Sun Mar 01 10:49:56.282407 2020] [ssl:debug] [pid 9852] ssl_engine_kernel.c(2319): [client 127.0.0.1:49482] AH02043: SSL virtual host for servername website.com found
[Sun Mar 01 10:49:56.282418 2020] [core:debug] [pid 9852] protocol.c(2314): [client 127.0.0.1:49482] AH03155: select protocol from , choices=h2,http/1.1 for server website.com
[Sun Mar 01 10:49:56.296616 2020] [ssl:debug] [pid 9852] ssl_engine_kernel.c(2235): [client 127.0.0.1:49482] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Sun Mar 01 10:49:56.296936 2020] [ssl:debug] [pid 9852] ssl_engine_kernel.c(383): [client 127.0.0.1:49482] AH02034: Initial (No.1) HTTPS request received for child 3 (server website.com:443)
[Sun Mar 01 10:49:56.297023 2020] [authz_core:debug] [pid 9852] mod_authz_core.c(846): [client 127.0.0.1:49482] AH01628: authorization result: granted (no directives)
[Sun Mar 01 10:49:56.297087 2020] [proxy:debug] [pid 9852] mod_proxy.c(1249): [client 127.0.0.1:49482] AH01143: Running scheme https handler (attempt 0)
[Sun Mar 01 10:49:56.297101 2020] [proxy:debug] [pid 9852] proxy_util.c(2316): AH00942: HTTPS: has acquired connection for (*)
[Sun Mar 01 10:49:56.297113 2020] [proxy:debug] [pid 9852] proxy_util.c(2369): [client 127.0.0.1:49482] AH00944: connecting https://localhost:8443/++vh++https:website.com:443/++/index.html to localhost:8443
[Sun Mar 01 10:49:56.297467 2020] [proxy:debug] [pid 9852] proxy_util.c(2578): [client 127.0.0.1:49482] AH00947: connected /++vh++https:website.com:443/++/index.html to localhost:8443
[Sun Mar 01 10:49:56.297696 2020] [proxy:debug] [pid 9852] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:8443 (*)
[Sun Mar 01 10:49:56.297722 2020] [proxy:debug] [pid 9852] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:8443 (localhost)
[Sun Mar 01 10:49:56.297739 2020] [ssl:info] [pid 9852] [remote 127.0.0.1:8443] AH01964: Connection to child 0 established (server website.com:443)
[Sun Mar 01 10:49:56.298590 2020] [ssl:debug] [pid 9852] ssl_engine_kernel.c(1740): [remote 127.0.0.1:8443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=website.com / issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US / serial: 033E19116893A728CDC809BA511D98069F7E / notbefore: Jun 29 23:22:00 2017 GMT / notafter: Sep 27 23:22:00 2017 GMT]
[Sun Mar 01 10:49:56.298625 2020] [ssl:debug] [pid 9852] ssl_engine_kernel.c(1740): [remote 127.0.0.1:8443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=website.com / issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US / serial: 033E19116893A728CDC809BA511D98069F7E / notbefore: Jun 29 23:22:00 2017 GMT / notafter: Sep 27 23:22:00 2017 GMT]
[Sun Mar 01 10:49:56.303513 2020] [ssl:debug] [pid 9852] ssl_engine_kernel.c(2235): [remote 127.0.0.1:8443] AH02041: Protocol: TLSv1, Cipher: AES256-SHA (256/256 bits)
[Sun Mar 01 10:49:56.312046 2020] [proxy:debug] [pid 9852] proxy_util.c(2331): AH00943: *: has released connection for (*)
[Sun Mar 01 10:49:56.312139 2020] [ssl:debug] [pid 9852] ssl_engine_io.c(1106): [remote 127.0.0.1:8443] AH02001: Connection closed to child 0 with standard shutdown (server website.com:443)
[Sun Mar 01 10:49:56.312204 2020] [proxy:debug] [pid 9852] proxy_util.c(3154): [remote 127.0.0.1:8443] AH02642: proxy: connection shutdown
[Sun Mar 01 10:49:56.312461 2020] [ssl:debug] [pid 9852] ssl_engine_io.c(1106): [client 127.0.0.1:49482] AH02001: Connection closed to child 3 with standard shutdown (server website.com:443):%s/do
And output of Zope:
127.0.0.1 - - [01/Mar/2020:10:49:01 +0200] "GET /++vh++https:www.website.com:443/++/cgi-bin/awstats.pl HTTP/1.1" 404 102 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0"
Update 2
Some interesting results to fix my issue:
If I do: 1)
<VirtualHost *:443>
...
# REWRITE
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/cgi-bin/awstats [NC]
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^/(.*) https://website.com/$1 [R=301,L]
RewriteRule ^/(.*) https://localhost:8443/++vh++https:%{SERVER_NAME}:443/++/$1 [P,L]
...
</VirtualHost>
Then, the redirection from https://www to https:// is well achieved but CGI scripts generates a Zope error.
If I do: 2) remove the line:
`RewriteRule ^/(.*) https://website.com/$1 [R=301,L]` )
i.e :
<VirtualHost *:443>
...
# REWRITE
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/cgi-bin/awstats [NC]
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^/(.*) https://localhost:8443/++vh++https:%{SERVER_NAME}:443/++/$1 [P,L]
...
</VirtualHost>
Then the redirection from https://www to https:// is not achieved but CGI scripts are available by typing in browser https://website.com/cgi-bin/awstats.pl.
How could I combine these 2 different configurations in order to have in the same time redirection and CGI scripts available ?
What you're missing in your workarounds is that the RewriteCond's only associate with the single RewriteRule that immediately follows.
If you want to skip the redirect to zope when the CGI is requested, exclude that particular RewriteRule by preceding it with a condition:
RewriteCond %{REQUEST_URI} !^/cgi-bin/awstats
# existing rule from Question
RewriteRule ^/(.*) https://localhost:8443/++vh++https:%{SERVER_NAME}:443/++/$1 [P,L]
im at that point, that i couldnt solve the problem now anymore ... seriosly, i was so stupid, checked the letsencrypt ssl and simultanously created a self signed certificate. however, i think with that i have broken the SSL config. other domains working with letsencrypt, except that one domain/website even after new creating it. i cant find logs outside of the log printed below.
Following is the error.log of Apache2:
[Wed Jul 03 17:46:02.826733 2019] [ssl:warn] [pid 10839] AH01909: kronos.pixelcode.at:8080:0 server certificate does NOT include an ID which matches the server name
[Wed Jul 03 17:46:02.826780 2019] [ssl:error] [pid 10839] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=admin#alphaground.net,CN=alphaground.net,O=Alphaground,L=Telfs,ST=Austria,C=AT / issuer: emailAddress=admin#alphaground.net,CN=alphaground.net,O=Alphaground,L=Telfs,ST=Austria,C=AT / serial: 0A5E411BEFE1832A40230F6F9BC1B0E1F7078CF8 / notbefore: Jun 19 18:42:15 2019 GMT / notafter: Jun 16 18:42:15 2029 GMT]
[Wed Jul 03 17:46:02.826796 2019] [ssl:error] [pid 10839] AH02604: Unable to configure certificate kronos.pixelcode.at:8080:0 for stapling
[Wed Jul 03 17:46:02.826847 2019] [:error] [pid 10839] python_init: Python version mismatch, expected '2.7.6', found '2.7.16'.
[Wed Jul 03 17:46:02.826884 2019] [:error] [pid 10839] python_init: Python executable found '/usr/bin/python'.
[Wed Jul 03 17:46:02.826886 2019] [:error] [pid 10839] python_init: Python path being used '/usr/lib/python2.7:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
[Wed Jul 03 17:46:02.826895 2019] [:notice] [pid 10839] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Wed Jul 03 17:46:02.826898 2019] [:notice] [pid 10839] mod_python: using mutex_directory /tmp
[Wed Jul 03 17:46:02.833564 2019] [mpm_prefork:notice] [pid 10839] AH00163: Apache/2.4.38 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1b mod_python/3.3.1 Python/2.7.16 configured -- resuming normal operations
[Wed Jul 03 17:46:02.833582 2019] [core:notice] [pid 10839] AH00094: Command line: '/usr/sbin/apache2'
[Wed Jul 03 17:50:02.673254 2019] [mpm_prefork:notice] [pid 10839] AH00169: caught SIGTERM, shutting down
[Wed Jul 03 17:50:02.783814 2019] [ssl:warn] [pid 11384] AH01906: kronos.pixelcode.at:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jul 03 17:50:02.783845 2019] [ssl:warn] [pid 11384] AH01909: kronos.pixelcode.at:8080:0 server certificate does NOT include an ID which matches the server name
[Wed Jul 03 17:50:02.783917 2019] [ssl:error] [pid 11384] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=admin#alphaground.net,CN=alphaground.net,O=Alphaground,L=Telfs,ST=Austria,C=AT / issuer: emailAddress=admin#alphaground.net,CN=alphaground.net,O=Alphaground,L=Telfs,ST=Austria,C=AT / serial: 0A5E411BEFE1832A40230F6F9BC1B0E1F7078CF8 / notbefore: Jun 19 18:42:15 2019 GMT / notafter: Jun 16 18:42:15 2029 GMT]
[Wed Jul 03 17:50:02.783924 2019] [ssl:error] [pid 11384] AH02604: Unable to configure certificate kronos.pixelcode.at:8080:0 for stapling
[Wed Jul 03 17:50:02.783955 2019] [suexec:notice] [pid 11384] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Wed Jul 03 17:50:02.811836 2019] [ssl:warn] [pid 11390] AH01906: kronos.pixelcode.at:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jul 03 17:50:02.811851 2019] [ssl:warn] [pid 11390] AH01909: kronos.pixelcode.at:8080:0 server certificate does NOT include an ID which matches the server name
[Wed Jul 03 17:50:02.811904 2019] [ssl:error] [pid 11390] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=admin#alphaground.net,CN=alphaground.net,O=Alphaground,L=Telfs,ST=Austria,C=AT / issuer: emailAddress=admin#alphaground.net,CN=alphaground.net,O=Alphaground,L=Telfs,ST=Austria,C=AT / serial: 0A5E411BEFE1832A40230F6F9BC1B0E1F7078CF8 / notbefore: Jun 19 18:42:15 2019 GMT / notafter: Jun 16 18:42:15 2029 GMT]
[Wed Jul 03 17:50:02.811909 2019] [ssl:error] [pid 11390] AH02604: Unable to configure certificate kronos.pixelcode.at:8080:0 for stapling
[Wed Jul 03 17:50:02.811980 2019] [:error] [pid 11390] python_init: Python version mismatch, expected '2.7.6', found '2.7.16'.
[Wed Jul 03 17:50:02.812037 2019] [:error] [pid 11390] python_init: Python executable found '/usr/bin/python'.
[Wed Jul 03 17:50:02.812046 2019] [:error] [pid 11390] python_init: Python path being used '/usr/lib/python2.7:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
[Wed Jul 03 17:50:02.812095 2019] [:notice] [pid 11390] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Wed Jul 03 17:50:02.812099 2019] [:notice] [pid 11390] mod_python: using mutex_directory /tmp
[Wed Jul 03 17:50:02.819199 2019] [mpm_prefork:notice] [pid 11390] AH00163: Apache/2.4.38 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1b mod_python/3.3.1 Python/2.7.16 configured -- resuming normal operations
[Wed Jul 03 17:50:02.819215 2019] [core:notice] [pid 11390] AH00094: Command line: '/usr/sbin/apache2'
thats what my error.log tries me to say, but it already worked with other domains. i think there have to be a config, where it tries to get or whatever the old certificate. letsencrypt shows me no error, and the server.sh from ispconfig no error too.
I recreated the website/domain in ispconfig, but i still get the same error. other domains works with no error at all. im really really sure, the problem was with check letsencrypt and create a certificate at the same time.
i read through the config in the .vhost but there is nothing in the ssl section...
Problem solved. If you stuck or get the same error, also check your IPv6 settings in DNS. I had two Numbers flipped. So IPv4 was correct, but IPv6 not and i got no error about it.
After reinstalling the server, i ended up with the same problem, so i struggled through the DNS settings. And e voila, AAAA IPv6 correct and the cert was generated perfect.
With a number of great websites for reference, I setup an Apache 2.4 environment on Solaris 11 using the auth_gss_module for Kerberos authentication. The problem I have is not being able to access an authorized page using IE, Chrome, or Firefox on Windows 7 or Windows Server 2008. I have been successful accessing the secured page with curl and python scripts and also Safari and Firefox browsers on OS X 10.10. I have listed output from both successful and failed attempts with Kerberos authentication. I am not sure if it might be a configuration setting within AD that needs to be changed or maybe a encryption difference. I am looking for suggestions on what to do next. Thank you..
A key tab was created for me by the AD admin and this is the contents of the key tab
cyoull#host0ad903.abc.def.net:/local_apps/apache4/conf/certs$ klist -k host0ad903_keytab
Keytab name: FILE:host0ad903_keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 HTTP/host0ad903.abc.def.net#ABC.DEF.NET
On OS X, this is the list of kerberos tickets from the klist command.
Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
Principal: cyoull#ABC.DEF.NET
Issued Expires Principal
Sep 25 07:22:52 2015 Sep 25 17:22:40 2015 krbtgt/ABC.DEF.NET#ABC.DEF.NET
Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
Principal: cyoull#ABC.DEF.NET
Issued Expires Principal
Sep 25 07:22:52 2015 Sep 25 17:22:40 2015 krbtgt/ABC.DEF.NET#ABC.DEF.NET
Sep 25 07:23:06 2015 Sep 25 17:22:40 2015 HTTP/host0ad903.abc.def.net#ABC.DEF.NET
Valid starting Expires Service principal
18/09/2015 10:17 18/09/2015 20:17 krbtgt/ABC.DEF.NET#ABC.DEF.NET
renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC
18/09/2015 10:17 18/09/2015 20:17 HTTP/host0ad903.abc.def.net#ABC.DEF.NET
renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
This is the Apache log after successfully accessing the secured page with Kerberos authentication from Safari on OS X
[Fri Sep 25 07:23:06.348043 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(620): [client 10.93.68.187:56071] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.348054 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(632): [client 10.93.68.187:56071] No authentication data found
[Fri Sep 25 07:23:06.348063 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(592): [client 10.93.68.187:56071] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 07:23:06.590334 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.93.68.187:56073] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.590347 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.93.68.187:56073] authenticate_user_gss called
[Fri Sep 25 07:23:06.590362 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.93.68.187:56073] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 07:23:06.590508 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.93.68.187:56073] Client wants GSS mech: spnego
[Fri Sep 25 07:23:06.590524 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.93.68.187:56073] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Fri Sep 25 07:23:06.621760 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.93.68.187:56073] got server creds for: HTTP#host0ad903.abc.def.net
[Fri Sep 25 07:23:06.639432 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(549): [client 10.93.68.187:56073] Authenticated user (final result) : cyoull#ABC.DEF.NET
This is the Apache log file after a successful attempt with a Python script on Windows Server 2008
[Thu Sep 17 16:29:48.890889 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.890900 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(632): [client 10.115.2.117:50526] No authentication data found
[Thu Sep 17 16:29:48.890909 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(592): [client 10.115.2.117:50526] note_gss_auth_failure: auth_name = <undefined>
[Thu Sep 17 16:29:48.908047 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.908056 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(334): [client 10.115.2.117:50526] authenticate_user_gss called
[Thu Sep 17 16:29:48.908080 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(373): [client 10.115.2.117:50526] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Thu Sep 17 16:29:48.908188 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(411): [client 10.115.2.117:50526] Client wants GSS mech: kerberos_v5
[Thu Sep 17 16:29:48.908203 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(288): [client 10.115.2.117:50526] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Thu Sep 17 16:29:48.910360 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(438): [client 10.115.2.117:50526] got server creds for: HTTP/host0ad903.abc.def.net#ABC.DEF.NET
[Thu Sep 17 16:29:48.917847 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(524): [client 10.115.2.117:50526] Authenticated user before AuthGSSStripDomainAT: cyoull#ABC.DEF.NET
[Thu Sep 17 16:29:48.917863 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(533): [client 10.115.2.117:50526] Authenticated user before AuthGSSForceCase: coy
[Thu Sep 17 16:29:48.917873 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(549): [client 10.115.2.117:50526] Authenticated user (final result) : cyoull#ABC.DEF.NET
This is the Kerberos tickets on the Windows 7 client
U:\>klist
Current LogonId is 0:0xa84757
Cached Tickets: (2)
#0> Client: cyoull # ABC.DEF.NET
Server: krbtgt/ABC.DEF.NET # ABC.DEF.NET
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 9/25/2015 9:19:28 (local)
End Time: 9/25/2015 19:19:28 (local)
Renew Time: 10/2/2015 9:19:28 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: cyoull # ABC.DEF.NET
Server: HTTP/host0ad903.abc.def.net # ABC.DEF.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 9/25/2015 9:19:30 (local)
End Time: 9/25/2015 19:19:28 (local)
Renew Time: 10/2/2015 9:19:28 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Using the developer tools in Firefox I see three GET requests and in the apache log file it looks as if the kerberos negotiation tries more than once then fails with a 401 Unauthorized
[Fri Sep 25 08:54:28.205356 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.205366 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(632): [client 10.211.8.122:52459] No authentication data found
[Fri Sep 25 08:54:28.205374 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.471160 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.471170 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.471187 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.471290 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: spnego
[Fri Sep 25 08:54:28.471307 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Fri Sep 25 08:54:28.474953 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP#host0ad903.abc.def.net
[Fri Sep 25 08:54:28.475143 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.475157 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.540288 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.540296 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.540310 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.540344 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: <unknown>
[Fri Sep 25 08:54:28.540353 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Fri Sep 25 08:54:28.543031 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP/host0ad903.abc.def.net#abc.def.net
[Fri Sep 25 08:54:28.543188 2015] [core:error] [pid 24150:tid 24] [client 10.211.8.122:52459] gss_accept_sec_context() failed: Invalid token was supplied (Unknown error)
[Fri Sep 25 08:54:28.543336 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.543349 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
Have you configured the web browsers on Windows to actually do HTTP Negotiate with this server? For example, in Firefox you need to set:
network.negotiate-auth.trusted-uris = abc.def.net
or another pattern that would match the URL. Chrome similarly has to be told to be willing to authenticate to the particular server, e.g. with:
--auth-server-whitelist="*.foo.com"
or via group policy.
If that’s not the problem, then please do this:
ipconfig /flushdns
klist purge
Run Wireshark and capture the HTTP, DNS, and Kerberos traffic during a failure (ports 80, 53, and 88).
Post the resulting pcap file.
I have PHP 5.3.3 with PHP-FPM running at 172.17.0.163:20533. I tested it with nginx and with cgi-fcgi:
$ SCRIPT_FILENAME=/www/localhost/test.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 172.17.0.163:20533
returns
X-Powered-By: PHP/5.3.3
Content-type: text/html
hello, it works!
So, PHP-FPM is working.
Unfortunately, Apache 2.4 has some issues with PHP-FPM:
<VirtualHost *>
UseCanonicalName Off
VirtualDocumentRoot "/www/%0"
RewriteEngine On
RewriteRule ^/(.*\.php(/.*)?)$ fcgi://172.17.0.163:20533/www/%{SERVER_NAME}/$1 [P]
</VirtualHost>
Opening http:// localhost/test.php returns a "404 Not found" error. Non PHP files are working. Looking at the apache error logs, everything looks fine.
[Fri Nov 15 18:53:00.426776 2013] [mpm_event:info] [pid 1959:tid 140474380953408] AH00490: Server built: Nov 13 2013 14:23:31
[Fri Nov 15 18:53:00.426787 2013] [core:notice] [pid 1959:tid 140474380953408] AH00094: Command line: '/usr/local/sbin/httpd'
[Fri Nov 15 18:53:00.426917 2013] [proxy:debug] [pid 3028:tid 140474380953408] proxy_util.c(1694): AH00925: initializing worker proxy:reverse shared
[Fri Nov 15 18:53:00.426950 2013] [proxy:debug] [pid 3028:tid 140474380953408] proxy_util.c(1734): AH00927: initializing worker proxy:reverse local
[Fri Nov 15 18:53:00.427010 2013] [proxy:debug] [pid 3028:tid 140474380953408] proxy_util.c(1769): AH00930: initialized pool in child 3028 for (*) min=0 max=25 smax=25
[Fri Nov 15 18:53:00.427101 2013] [proxy:debug] [pid 3030:tid 140474380953408] proxy_util.c(1694): AH00925: initializing worker proxy:reverse shared
[Fri Nov 15 18:53:00.427421 2013] [proxy:debug] [pid 3029:tid 140474380953408] proxy_util.c(1694): AH00925: initializing worker proxy:reverse shared
[Fri Nov 15 18:53:00.427445 2013] [proxy:debug] [pid 3029:tid 140474380953408] proxy_util.c(1734): AH00927: initializing worker proxy:reverse local
[Fri Nov 15 18:53:00.427488 2013] [proxy:debug] [pid 3029:tid 140474380953408] proxy_util.c(1769): AH00930: initialized pool in child 3029 for (*) min=0 max=25 smax=25
[Fri Nov 15 18:53:00.427129 2013] [proxy:debug] [pid 3030:tid 140474380953408] proxy_util.c(1734): AH00927: initializing worker proxy:reverse local
[Fri Nov 15 18:53:00.428326 2013] [proxy:debug] [pid 3030:tid 140474380953408] proxy_util.c(1769): AH00930: initialized pool in child 3030 for (*) min=0 max=25 smax=25
[Fri Nov 15 18:53:01.627599 2013] [rewrite:trace2] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] init rewrite engine with requested uri /test.php
[Fri Nov 15 18:53:01.627664 2013] [rewrite:trace3] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] applying pattern '^/(.*\\.php(/.*)?)$' to uri '/test.php'
[Fri Nov 15 18:53:01.627718 2013] [rewrite:trace2] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] rewrite '/test.php' -> 'fcgi://172.17.0.163:20533/www/localhost/test.php'
[Fri Nov 15 18:53:01.627747 2013] [rewrite:trace2] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] forcing proxy-throughput with fcgi://172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.627759 2013] [rewrite:trace1] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] go-ahead with proxy request proxy:fcgi://172.17.0.163:20533/www/localhost/test.php [OK]
[Fri Nov 15 18:53:01.627776 2013] [proxy_fcgi:trace1] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(90): [client 172.17.42.1:57951] canonicalising URL //172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.627776 2013] [proxy_fcgi:debug] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(120): [client 172.17.42.1:57951] AH01060: set r->filename to proxy:fcgi://172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.628070 2013] [proxy:trace2] [pid 3028:tid 140474150618880] proxy_util.c(1857): [client 172.17.42.1:57951] *: found reverse proxy worker for fcgi://172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.628082 2013] [proxy:debug] [pid 3028:tid 140474150618880] mod_proxy.c(1100): [client 172.17.42.1:57951] AH01143: Running scheme fcgi handler (attempt 0)
[Fri Nov 15 18:53:01.628096 2013] [proxy_fcgi:debug] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(944): [client 172.17.42.1:57951] AH01076: url: fcgi://172.17.0.163:20533/www/localhost/test.php proxyname: (null) proxyport: 0
[Fri Nov 15 18:53:01.628107 2013] [proxy_fcgi:debug] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(954): [client 172.17.42.1:57951] AH01078: serving URL //172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.628134 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2020): AH00942: FCGI: has acquired connection for (*)
[Fri Nov 15 18:53:01.628147 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2072): [client 172.17.42.1:57951] AH00944: connecting //172.17.0.163:20533/www/localhost/test.php to 172.17.0.163:20533
[Fri Nov 15 18:53:01.628224 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2194): [client 172.17.42.1:57951] AH00947: connected /www/localhost/test.php to 172.17.0.163:20533
[Fri Nov 15 18:53:01.628248 2013] [proxy:trace2] [pid 3028:tid 140474150618880] proxy_util.c(2446): FCGI: fam 2 socket created to connect to *
[Fri Nov 15 18:53:01.629453 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(521): [client 172.17.42.1:57951] Headers from script 'test.php':
[Fri Nov 15 18:53:01.629552 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(522): [client 172.17.42.1:57951] Status: 404 Not Found
[Fri Nov 15 18:53:01.629583 2013] [proxy_fcgi:trace1] [pid 3028:tid 140474150618880] util_script.c(599): [client 172.17.42.1:57951] Status line from script 'test.php': 404 Not Found
[Fri Nov 15 18:53:01.629595 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(522): [client 172.17.42.1:57951] X-Powered-By: PHP/5.3.3
[Fri Nov 15 18:53:01.629608 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(522): [client 172.17.42.1:57951] Content-type: text/html
[Fri Nov 15 18:53:01.629680 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2035): AH00943: FCGI: has released connection for (*)
It seems as if mod_proxy_fcgi is not sending the script path correctly?! Has anyone an idea?
UPDATE 16 Nov 2013
I tested it with Apache 2.2.25 and mod_fastcgi 2.4.6:
<VirtualHost *>
UseCanonicalName Off
VirtualDocumentRoot "/www/%0"
AddHandler php5-fastcgi .php
FastCgiExternalServer /www/localhost -host 172.17.0.163:20533
</VirtualHost>
Works like a charm. I guess Apache 2.4.6 with mod_proxy_fcgi is buggy.
Update 17 Nov 2013
I tested it with Apache 2.4.6 and mod_proxy_fcgi and PHP 5.4.21. It works. So, there seems to be a problem with PHP 5.3.3 together with Apache 2.4.6 and mod_proxy_fcgi.
Using PHP 5.3.27 fixes all the issues.