Friday, November 15, 2013

Apache and Tomcat mod_proxy [warn] Proxy client certificate callback: (sample.com:443) downstream server wanted client certificate but none are configured

This warning was coming up un apache logs:
[Fri Nov 15 16:03:13 2013] [warn] Proxy client certificate callback: (sample.com:443) downstream server wanted client certificate but none are configured

Expired or not currently valid Certificate

The certificate might be expired or it could have been issued for a date in the future. You can check the validity using:
openssl s_client -connect sample.com:443 | openssl x509 -noout -dates
depth=0 /C=Argentina/ST=FL/L=Buenos Aires/O=My Company, LLC/OU=Operations/CN=sample.com/emailAddress=it@sample.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=Argentina/ST=FL/L=Buenos Aires/O=My Company, LLC/OU=Operations/CN=sample.com/emailAddress=it@sample.com
verify return:1
notBefore=Jan 24 13:29:12 2012 GMT
notAfter=Jan 21 13:29:12 2024 GMT
Recreating the certificate resolved the issue.

Tomcat miss configuration

The SSL Connector was having the below configuration set to "optional" but when using apache as a reverse proxy for load balancing this configuration is not needed. We should use the default which is "none":
SSLVerifyClient="none"

No comments:

Followers