| Author |
|
rskb4u
Joined: 14 Apr 2014
Posts: 25
Location: India
|
 Posted: Wed 17 Jun '15 11:51 Post subject: Can't Verify Server Identity - Apache 2.2.9 |
 |
|
Hi Forum Member,
We are facing an issue i.e "Can't verify server identity",
When we hit the platform 'teampark.sogeti.com' from android mobile application.
Our request flow:
---Whenever we hit teampark.sogeti.com from Mobile Application ( IBM connections android App), our initial request will hit our Reverse Proxy and Validates the user certificate and forward it to the next level.
We are using Apache 2.2.9 as our Reverse Proxy.
Any help would be appreciated.
Regards,
Shiva Rudra |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 17 Jun '15 12:17 Post subject: |
|
|
Short answer:
the issue is SNI
Long answer:
the domain name points to 3 IP adresses and 3 of it are one rp-internet capgemini com as primary domain on the IP. Some older android version do not support SNI. So they fetch the certificate from rp-internet capgemini com instead of the teampark one. |
|
| Back to top |
|
rskb4u
Joined: 14 Apr 2014
Posts: 25
Location: India
|
| Posted: Wed 17 Jun '15 13:44 Post subject: |
|
|
Hi James,
From ssl_cert.log of Reverese Proxy.
We are getting this message " [02/Jun/2015:12:23:10 +0200] 1.39.9.152 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -"
In our POC Environment working fine, we have configured one our VM ( windows env ) as RP.
Coming to Prod environment, Apache in a LINUX machine configured as RP,there we are facing this issue.
Regards,
Shiva Rudra |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 17 Jun '15 17:21 Post subject: |
|
|
| You need to specify the CA cert in order to verify the issued cert since it's obviously not included in the crt / pem. |
|
| Back to top |
|
rskb4u
Joined: 14 Apr 2014
Posts: 25
Location: India
|
| Posted: Thu 18 Jun '15 8:33 Post subject: |
|
|
Hi James,
The certificates which we are using are..
1) soogeti.crt
2) bundle.ca ( Intermediate Certificate )
3) capgemini.ca
I dont have much knowledge on Certificates.
can you please elaborate more..
Regards,
Shiva Rudra |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 18 Jun '15 10:45 Post subject: |
|
|
I use startcom for my certificates and there I have to use that, too
example
| Code: |
SSLEngine on
SSLCertificateFile /apache2/conf/certs/example.com.crt
SSLCertificateKeyFile /apache2/conf/certs/example.com.key
SSLCertificateChainFile /apache2/conf/certs/sub.class1.server.ca.pem
SSLCACertificateFile /apache2/conf/certs/ca.pem
|
optional
| Code: |
SSLCARevocationFile /apache2/conf/certs/sub.class1.client.sha2.ca.pem
|
|
|
| Back to top |
|
rskb4u
Joined: 14 Apr 2014
Posts: 25
Location: India
|
| Posted: Fri 19 Jun '15 11:50 Post subject: |
|
|
Hi James,
Certificates we are using in our reverse proxy.
SSLCertificateChainFile "/usr/local/apache2/conf/PROXY_CONFIGURATION/SSL_certificates/hem/bundle.ca"
SSLCertificateFile "/usr/local/apache2/conf/PROXY_CONFIGURATION/SSL_certificates/hem/sogeti.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/PROXY_CONFIGURATION/SSL_certificates/hem/sogeti.key"
SSLCACertificateFile "/usr/local/apache2/conf/PROXY_CONFIGURATION/SSL_certificates/hem/capgemini.ca"
Many Thanks,
Shiva Rudra |
|
| Back to top |
|
rskb4u
Joined: 14 Apr 2014
Posts: 25
Location: India
|
| Posted: Mon 22 Jun '15 14:58 Post subject: |
|
|
HI,
Please find errors from below logs:
error logs :
[Mon Jun 22 15:33:12 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:20 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:23 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:25 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:28 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:31 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
access log
[6/22/2015 3:42 PM] Khan, Jabeer:
[22/Jun/2015:15:38:41 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"
[22/Jun/2015:15:38:43 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"
[22/Jun/2015:15:38:45 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"
[22/Jun/2015:15:38:47 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"
[22/Jun/2015:15:38:49 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"
ssl_request.log
[22/Jun/2015:15:24:59 +0530] 10.31.176.200 TLSv1.2 RC4-SH...
[22/Jun/2015:15:24:59 +0530] 10.31.176.200 TLSv1.2 RC4-SHA "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" 483
[22/Jun/2015:15:25:43 +0530] 10.31.176.200 TLSv1.2 RC4-SHA "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" 483
[22/Jun/2015:15:26:23 +0530] 10.31.176.200 TLSv1.2 RC4-SHA "GET /mobile/homepage/Configuration?screenDensity=240&lang=en_GB&ps=20 HTTP/1.1" 522
[22/Jun/2015:15:33:11 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:18 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:21 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:24 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:27 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:29 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:29 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:41 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:43 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:45 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:47 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:49 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
ssl_cert.log:
[22/Jun/2015:15:25:43 +0530] 10.31.176.200 - NONE - - - -...
[22/Jun/2015:15:25:43 +0530] 10.31.176.200 - NONE - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" 483
[22/Jun/2015:15:26:23 +0530] 10.31.176.200 - NONE - - - - - Lotus Android - "GET /mobile/homepage/Configuration?screenDensity=240&lang=en_GB&ps=20 HTTP/1.1" 522
[22/Jun/2015:15:33:11 +0530] 10.31.176.200 - NONE - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:18 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:21 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:24 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:27 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:29 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:29 +0530] 10.31.176.200 - NONE - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:41 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:43 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:45 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:47 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:49 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 22 Jun '15 17:32 Post subject: |
|
|
What might help is
SSLInsecureRenegotiation on |
|
| Back to top |
|
prmjit
Joined: 19 Jun 2014
Posts: 9
Location: India, Mumbai
|
| Posted: Fri 26 Jun '15 11:13 Post subject: |
|
|
Hi James,
We have checked with ibm and they told us that, our group reverse proxy is not sending the complete chain and hence we are getting the issue.
We are using the same bundle.ca in our POC environment and group RP as our SSLCertificateChainFile.
Everything is working fine in POC, but not when request is sent to group RP.
Both the apache version in our POC and grp RP are same - 2.2.29
then why the group RP is not sending the correct intermediary certificate. |
|
| Back to top |
|
prmjit
Joined: 19 Jun 2014
Posts: 9
Location: India, Mumbai
|
| Posted: Fri 26 Jun '15 11:14 Post subject: |
|
|
| There is only one difference our Apache in POC is in windows server and group RP is in Linux. |
|
| Back to top |
|
