logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Can't Verify Server Identity - Apache 2.2.9
Author
rskb4u



Joined: 14 Apr 2014
Posts: 25
Location: India

PostPosted: Wed 17 Jun '15 11:51    Post subject: Can't Verify Server Identity - Apache 2.2.9 Reply with quote

Hi Forum Member,


We are facing an issue i.e "Can't verify server identity",
When we hit the platform 'teampark.sogeti.com' from android mobile application.


Our request flow:

---Whenever we hit teampark.sogeti.com from Mobile Application ( IBM connections android App), our initial request will hit our Reverse Proxy and Validates the user certificate and forward it to the next level.

We are using Apache 2.2.9 as our Reverse Proxy.

Any help would be appreciated.

Regards,
Shiva Rudra
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Wed 17 Jun '15 12:17    Post subject: Reply with quote

Short answer:
the issue is SNI

Long answer:
the domain name points to 3 IP adresses and 3 of it are one rp-internet capgemini com as primary domain on the IP. Some older android version do not support SNI. So they fetch the certificate from rp-internet capgemini com instead of the teampark one.
Back to top
rskb4u



Joined: 14 Apr 2014
Posts: 25
Location: India

PostPosted: Wed 17 Jun '15 13:44    Post subject: Reply with quote

Hi James,

From ssl_cert.log of Reverese Proxy.

We are getting this message " [02/Jun/2015:12:23:10 +0200] 1.39.9.152 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -"


In our POC Environment working fine, we have configured one our VM ( windows env ) as RP.

Coming to Prod environment, Apache in a LINUX machine configured as RP,there we are facing this issue.


Regards,
Shiva Rudra
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Wed 17 Jun '15 17:21    Post subject: Reply with quote

You need to specify the CA cert in order to verify the issued cert since it's obviously not included in the crt / pem.
Back to top
rskb4u



Joined: 14 Apr 2014
Posts: 25
Location: India

PostPosted: Thu 18 Jun '15 8:33    Post subject: Reply with quote

Hi James,


The certificates which we are using are..


1) soogeti.crt
2) bundle.ca ( Intermediate Certificate )
3) capgemini.ca


I dont have much knowledge on Certificates.

can you please elaborate more..

Regards,
Shiva Rudra
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 18 Jun '15 10:45    Post subject: Reply with quote

I use startcom for my certificates and there I have to use that, too

example
Code:

SSLEngine on
SSLCertificateFile /apache2/conf/certs/example.com.crt
SSLCertificateKeyFile /apache2/conf/certs/example.com.key
SSLCertificateChainFile /apache2/conf/certs/sub.class1.server.ca.pem
SSLCACertificateFile /apache2/conf/certs/ca.pem


optional
Code:

SSLCARevocationFile /apache2/conf/certs/sub.class1.client.sha2.ca.pem
Back to top
rskb4u



Joined: 14 Apr 2014
Posts: 25
Location: India

PostPosted: Fri 19 Jun '15 11:50    Post subject: Reply with quote

Hi James,

Certificates we are using in our reverse proxy.

SSLCertificateChainFile "/usr/local/apache2/conf/PROXY_CONFIGURATION/SSL_certificates/hem/bundle.ca"
SSLCertificateFile "/usr/local/apache2/conf/PROXY_CONFIGURATION/SSL_certificates/hem/sogeti.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/PROXY_CONFIGURATION/SSL_certificates/hem/sogeti.key"
SSLCACertificateFile "/usr/local/apache2/conf/PROXY_CONFIGURATION/SSL_certificates/hem/capgemini.ca"


Many Thanks,
Shiva Rudra
Back to top
rskb4u



Joined: 14 Apr 2014
Posts: 25
Location: India

PostPosted: Mon 22 Jun '15 14:58    Post subject: Reply with quote

HI,


Please find errors from below logs:



error logs :

[Mon Jun 22 15:33:12 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:20 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:23 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:25 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:28 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jun 22 15:33:31 2015] [error] [client 10.31.176.200] Re-negotiation handshake failed: Not accepted by client!?


access log
[6/22/2015 3:42 PM] Khan, Jabeer:
[22/Jun/2015:15:38:41 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"
[22/Jun/2015:15:38:43 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"
[22/Jun/2015:15:38:45 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"
[22/Jun/2015:15:38:47 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"
[22/Jun/2015:15:38:49 +0530] 10.31.176.200 - - teampark.sogeti.com "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" - 403 - "-" "Lotus Android"


ssl_request.log
[22/Jun/2015:15:24:59 +0530] 10.31.176.200 TLSv1.2 RC4-SH...
[22/Jun/2015:15:24:59 +0530] 10.31.176.200 TLSv1.2 RC4-SHA "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" 483
[22/Jun/2015:15:25:43 +0530] 10.31.176.200 TLSv1.2 RC4-SHA "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" 483
[22/Jun/2015:15:26:23 +0530] 10.31.176.200 TLSv1.2 RC4-SHA "GET /mobile/homepage/Configuration?screenDensity=240&lang=en_GB&ps=20 HTTP/1.1" 522
[22/Jun/2015:15:33:11 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:18 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:21 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:24 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:27 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:29 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:29 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:41 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:43 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:45 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:47 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:49 +0530] 10.31.176.200 TLSv1.2 - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -


ssl_cert.log:

[22/Jun/2015:15:25:43 +0530] 10.31.176.200 - NONE - - - -...
[22/Jun/2015:15:25:43 +0530] 10.31.176.200 - NONE - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" 483
[22/Jun/2015:15:26:23 +0530] 10.31.176.200 - NONE - - - - - Lotus Android - "GET /mobile/homepage/Configuration?screenDensity=240&lang=en_GB&ps=20 HTTP/1.1" 522
[22/Jun/2015:15:33:11 +0530] 10.31.176.200 - NONE - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:18 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:21 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:24 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:27 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:33:29 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:29 +0530] 10.31.176.200 - NONE - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:41 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:43 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:45 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:47 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
[22/Jun/2015:15:38:49 +0530] 10.31.176.200 - FAILED:unable to get local issuer certificate - - - - - Lotus Android - "GET /mobile/homepage/SecurityConfiguration HTTP/1.1" -
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Mon 22 Jun '15 17:32    Post subject: Reply with quote

What might help is

SSLInsecureRenegotiation on
Back to top
prmjit



Joined: 19 Jun 2014
Posts: 9
Location: India, Mumbai

PostPosted: Fri 26 Jun '15 11:13    Post subject: Reply with quote

Hi James,

We have checked with ibm and they told us that, our group reverse proxy is not sending the complete chain and hence we are getting the issue.

We are using the same bundle.ca in our POC environment and group RP as our SSLCertificateChainFile.

Everything is working fine in POC, but not when request is sent to group RP.

Both the apache version in our POC and grp RP are same - 2.2.29

then why the group RP is not sending the correct intermediary certificate.
Back to top
prmjit



Joined: 19 Jun 2014
Posts: 9
Location: India, Mumbai

PostPosted: Fri 26 Jun '15 11:14    Post subject: Reply with quote

There is only one difference our Apache in POC is in windows server and group RP is in Linux.
Back to top


Reply to topic   Topic: Can't Verify Server Identity - Apache 2.2.9 View previous topic :: View next topic
Post new topic   Forum Index -> Apache