Thursday, May 22, 2014

Mod proxy suddenly failing with 500 / 502 errors because of self signed expired certificates

Apache was returning 500. From logs:
[Thu May 22 09:42:31.269552 2014] [proxy:error] [pid 22446:tid 139728275740416] (502)Unknown error 502: [client 192.168.1.65:61702] AH01084: pass request body failed to 172.16.1.12:8443 (node1.sample.com)
[Thu May 22 09:42:31.269617 2014] [proxy:error] [pid 22446:tid 139728275740416] [client 192.168.1.65:61702] AH00898: Error during SSL Handshake with remote server returned by /login
[Thu May 22 09:42:31.269624 2014] [proxy_http:error] [pid 22446:tid 139728275740416] [client 192.168.1.65:61702] AH01097: pass request body failed to 172.16.1.12:8443 (node1.sample.com) from 192.168.1.65 (
)
The open ssl self certificate validation would say:
$ openssl s_client -connect sample.com:8443|grep -i verify
depth=0 serialNumber = jbmxhGznkcvhtXRrAx0WVpdSdE2R/trY, OU = GT16223480, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = sample.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = jbmxhGznkcvhtXRrAx0WVpdSdE2R/trY, OU = GT16223480, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = sample.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = jbmxhGznkcvhtXRrAx0WVpdSdE2R/trY, OU = GT16223480, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = sample.com
verify error:num=21:unable to verify the first certificate
verify return:1
Verify return code: 21 (unable to verify the first certificate)
So it will not state the classical "Verify return code: 10 (certificate has expired)" when indeed the certificate is expired. That is why you better check for expiration directly:
$ openssl s_client -connect sample.com:8443 | openssl x509 -noout -dates
depth=0 serialNumber = jbmxhGznkcvhtXRrAx0WVpdSdE2R/trY, OU = GT16223480, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = sample.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = jbmxhGznkcvhtXRrAx0WVpdSdE2R/trY, OU = GT16223480, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = sample.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = jbmxhGznkcvhtXRrAx0WVpdSdE2R/trY, OU = GT16223480, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = sample.com
verify error:num=21:unable to verify the first certificate
verify return:1
notBefore=May 19 01:51:23 2013 GMT
notAfter=May 21 15:47:07 2014 GMT

No comments:

Followers