LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Need help setting up SSL Cert on a Reverse Proxy
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-16-2016, 11:09 PM   #1
Treikayan
Member
 
Registered: Oct 2008
Location: Albany Park, Chicago IL
Distribution: RHEL 5.1 i386
Posts: 75

Rep: Reputation: 15
Exclamation Need help setting up SSL Cert on a Reverse Proxy

Hello,

I am currently trying to add a new CERT to a Reverse Proxy. Currently the Reverse proxy is working and servicing all http requests. I am having a problem using the Reverse Proxy with my Exchange 2010 environment.

Please can someone assist me with creating a cert, providing a decent CA to sign th cert -- unless I can use my Domain Controller CA to do that. If so, I have Cert Server set up on Server 2008 R2 Standard.

Linux Version: Linux reverseproxy.domain.local 2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Jan 3 21:39:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

All http requests work properly. Here is the config to the virtual host that does not work and services https/ssl.

Quote:
<VirtualHost 172.17.10.13:443>
ServerName webmail.domain.net:443
ErrorLog /var/log/httpd/domain.net/cas2010error.log
CustomLog /var/log/httpd/domain.net/cas2010.log combined
# SSLEngine On
# SSLProxyVerify none
# SSLProxyEngine On
# SSLProxyCheckPeerCN Off
# SSLProxyCheckPeerExpire On
# SSLCertificateFile /etc/pki/tls/certs/webmail.domain.net.crt
# SSLCertificateKeyFile /etc/pki/tls/private/webmail.domain.net.key
<Location />
ProxyPass https://cashost.domain.local/owa/
ProxyPassReverse https://cashost.domain.local/owa/
SSLRequireSSL
</Location>
</VirtualHost>
I commented out all the SSL stuff on my server because I could not get httpd to restart without failing.

I used this page to help me create a cert.
[https://www.centos.org/docs/5/html/D...e-server.html]

Please can someone give me some guidance. BTW, the Exchange 2010 server has a valid certificate. I created it using my in local CA on the Domain Controller.
 
Old 01-17-2016, 12:57 AM   #2
Treikayan
Member
 
Registered: Oct 2008
Location: Albany Park, Chicago IL
Distribution: RHEL 5.1 i386
Posts: 75

Original Poster
Rep: Reputation: 15
Apache Modules on reverseproxy

Code:
[root@reverseproxy certs]# httpd -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authn_alias_module (shared)
 authn_anon_module (shared)
 authn_dbm_module (shared)
 authn_default_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 authz_owner_module (shared)
 authz_groupfile_module (shared)
 authz_dbm_module (shared)
 authz_default_module (shared)
 ldap_module (shared)
 authnz_ldap_module (shared)
 include_module (shared)
 log_config_module (shared)
 logio_module (shared)
 env_module (shared)
 ext_filter_module (shared)
 mime_magic_module (shared)
 expires_module (shared)
 deflate_module (shared)
 headers_module (shared)
 usertrack_module (shared)
 setenvif_module (shared)
 mime_module (shared)
 dav_module (shared)
 status_module (shared)
 autoindex_module (shared)
 info_module (shared)
 dav_fs_module (shared)
 vhost_alias_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 actions_module (shared)
 speling_module (shared)
 userdir_module (shared)
 alias_module (shared)
 substitute_module (shared)
 rewrite_module (shared)
 proxy_module (shared)
 proxy_balancer_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_ajp_module (shared)
 proxy_connect_module (shared)
 cache_module (shared)
 suexec_module (shared)
 disk_cache_module (shared)
 cgi_module (shared)
 version_module (shared)
 proxy_html_module (shared)
 xml2enc_module (shared)
 ssl_module (shared)
 perl_module (shared)
 php5_module (shared)
 
Old 01-17-2016, 02:12 AM   #3
Treikayan
Member
 
Registered: Oct 2008
Location: Albany Park, Chicago IL
Distribution: RHEL 5.1 i386
Posts: 75

Original Poster
Rep: Reputation: 15
Here is an OpenSSL connection example if this will help more.

Code:
[root@emissary certs]# openssl s_client -connect 172.17.10.13:443 -showcerts
CONNECTED(00000003)
depth=0 C = US, ST = Illinois, L = Chicago, O = Systems Aboot, OU = Oakbrook 17-102, CN = webmail.shekinya.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Illinois, L = Chicago, O = Systems Aboot, OU = Oakbrook 17-102, CN = webmail.shekinya.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Illinois/L=Chicago/O=Systems Aboot/OU=Oakbrook 17-102/CN=webmail.shekinya.net
   i:/C=US/ST=Illinois/L=Chicago/O=Systems Aboot/OU=Oakbrook 17-102/CN=webmail.shekinya.net
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIFAKUv00UwDQYJKoZIhvcNAQEEBQAwgYMxCzAJBgNVBAYT
AlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEWMBQGA1UE
ChMNU3lzdGVtcyBBYm9vdDEYMBYGA1UECxMPT2FrYnJvb2sgMTctMTAyMR0wGwYD
VQQDExR3ZWJtYWlsLnNoZWtpbnlhLm5ldDAeFw0xNjAxMTcwMjQzMzJaFw0xNjAy
MTcwMjQzMzJaMIGDMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAO
BgNVBAcTB0NoaWNhZ28xFjAUBgNVBAoTDVN5c3RlbXMgQWJvb3QxGDAWBgNVBAsT
D09ha2Jyb29rIDE3LTEwMjEdMBsGA1UEAxMUd2VibWFpbC5zaGVraW55YS5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYvpe8XoIp3TP+gquI8/pt
pRniuTlOdPN/gI1IQp6KjqonP2QE+BKRn3PBhIr80bt32KUXnSLF2+tqcRq0+C7K
MOyswUQfZnorHYO0XlUoCI8ZomVsqv9d8yKrUZ72TxJ74LMiajHBeMMTnCY8RIfr
bYJMJnJVDxac1hOHcQqryvnSde3RWjdCG3QVo+5oTzUYKj1564WxL1dF9FluEfeA
shN0zAdHfJlY90BQWKvWSLZniBiJn7uy993Q10qEYbsxD/8d24RGVHGUeqVicEjh
m55DS4wOETbLQDiY0sIDpUHxBCrkl54tDNn9SgVkBFRaUUuVfcI7K54AiZbUscY3
AgMBAAEwDQYJKoZIhvcNAQEEBQADggEBALONZFUzVr+is6VBItiwNkT5Ql3M7sBJ
75MC8mk8qaWz7FBQ3n3tcg4hkXjwKOIKpytGoTSApDxlpMXil/0BfFKtFoUQdiR+
6A92SPsu2JL9RpiSqzcA85Q3OoRXppiDFOs0fAJFXWqwO8pl8ClVf2tUxLtaK51Y
CPAQGWLGSESVGuSWcNEsvkCH2T3eAsOYU2b2YpbzODFah3/ExnQW51c3HvRGvy7b
IzkeSCgiB/tVVZftrAg1h0vI1vK5PhJuPdC7rDkxTzQ6qyX7cki2tFAHWiMl9Mq8
6RO0bfGmWHFgxZKcJ9dCww8ifWPs1PtC1WjyMMc1WqYtwSyszzWLSHE=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Illinois/L=Chicago/O=Systems Aboot/OU=Oakbrook 17-102/CN=webmail.shekinya.net
issuer=/C=US/ST=Illinois/L=Chicago/O=Systems Aboot/OU=Oakbrook 17-102/CN=webmail.shekinya.net
---
No client certificate CA names sent
---
SSL handshake has read 1782 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: D2EE7A47066D5A59C517E13B72DDFC21490A722DDA4888863AA30CAF54AA3E2E
    Session-ID-ctx:
    Master-Key: 0A668BF11D5DB5B5B18625F371EA806F26C63C81B08164FB4CF6BE1A8C4DD6670B8C6B5C8CCA3E6B9CEA053E0E5D3786
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 71 05 b0 ca 87 55 8b fa-01 80 38 a7 8c bc 75 62   q....U....8...ub
    0010 - 53 f1 f6 18 57 f6 d1 e4-49 d2 8e 57 13 09 79 73   S...W...I..W..ys
    0020 - d6 68 24 c1 b1 b7 c2 22-d2 b5 87 4e 46 89 8a 6c   .h$...."...NF..l
    0030 - 2d 5b 79 2d a6 62 da c5-bc 17 34 54 7d 9c 2d 5e   -[y-.b....4T}.-^
    0040 - 70 63 76 ec b4 2b 66 d6-f6 42 bb a9 75 91 9e 61   pcv..+f..B..u..a
    0050 - 07 d3 d3 f5 b8 3e 4b 5d-db 72 81 de e5 9d 0b 60   .....>K].r.....`
    0060 - 30 4b 08 39 67 a4 8e 3a-19 a6 b7 6b f7 d7 35 13   0K.9g..:...k..5.
    0070 - 54 f6 72 61 c8 61 69 00-b5 dd 40 ba 00 84 d3 9b   T.ra.ai...@.....
    0080 - 57 63 3d 61 05 8d ff 00-ef a7 c9 16 07 0f 67 6f   Wc=a..........go
    0090 - ce 12 48 15 38 9f b1 97-88 fb 6b 88 90 58 d2 d4   ..H.8.....k..X..
    00a0 - ee 6f 3e 39 de de 20 f2-f6 f3 0f c9 83 78 ac 30   .o>9.. ......x.0
    00b0 - 58 1d 61 35 4b a1 96 d4-69 0e 3c a1 2c 20 d6 57   X.a5K...i.<., .W

    Start Time: 1453018075
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
:q
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 root@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at webmail.shekinya.net Port 443</address>
</body></html>
closed
[root@emissary certs]# openssl s_client -connect 172.17.10.13:443 -showcerts
CONNECTED(00000003)
depth=0 C = US, ST = Illinois, L = Chicago, O = Systems Aboot, OU = Oakbrook 17-102, CN = webmail.shekinya.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Illinois, L = Chicago, O = Systems Aboot, OU = Oakbrook 17-102, CN = webmail.shekinya.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Illinois/L=Chicago/O=Systems Aboot/OU=Oakbrook 17-102/CN=webmail.shekinya.net
   i:/C=US/ST=Illinois/L=Chicago/O=Systems Aboot/OU=Oakbrook 17-102/CN=webmail.shekinya.net
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIFAKUv00UwDQYJKoZIhvcNAQEEBQAwgYMxCzAJBgNVBAYT
AlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEWMBQGA1UE
ChMNU3lzdGVtcyBBYm9vdDEYMBYGA1UECxMPT2FrYnJvb2sgMTctMTAyMR0wGwYD
VQQDExR3ZWJtYWlsLnNoZWtpbnlhLm5ldDAeFw0xNjAxMTcwMjQzMzJaFw0xNjAy
MTcwMjQzMzJaMIGDMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAO
BgNVBAcTB0NoaWNhZ28xFjAUBgNVBAoTDVN5c3RlbXMgQWJvb3QxGDAWBgNVBAsT
D09ha2Jyb29rIDE3LTEwMjEdMBsGA1UEAxMUd2VibWFpbC5zaGVraW55YS5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYvpe8XoIp3TP+gquI8/pt
pRniuTlOdPN/gI1IQp6KjqonP2QE+BKRn3PBhIr80bt32KUXnSLF2+tqcRq0+C7K
MOyswUQfZnorHYO0XlUoCI8ZomVsqv9d8yKrUZ72TxJ74LMiajHBeMMTnCY8RIfr
bYJMJnJVDxac1hOHcQqryvnSde3RWjdCG3QVo+5oTzUYKj1564WxL1dF9FluEfeA
shN0zAdHfJlY90BQWKvWSLZniBiJn7uy993Q10qEYbsxD/8d24RGVHGUeqVicEjh
m55DS4wOETbLQDiY0sIDpUHxBCrkl54tDNn9SgVkBFRaUUuVfcI7K54AiZbUscY3
AgMBAAEwDQYJKoZIhvcNAQEEBQADggEBALONZFUzVr+is6VBItiwNkT5Ql3M7sBJ
75MC8mk8qaWz7FBQ3n3tcg4hkXjwKOIKpytGoTSApDxlpMXil/0BfFKtFoUQdiR+
6A92SPsu2JL9RpiSqzcA85Q3OoRXppiDFOs0fAJFXWqwO8pl8ClVf2tUxLtaK51Y
CPAQGWLGSESVGuSWcNEsvkCH2T3eAsOYU2b2YpbzODFah3/ExnQW51c3HvRGvy7b
IzkeSCgiB/tVVZftrAg1h0vI1vK5PhJuPdC7rDkxTzQ6qyX7cki2tFAHWiMl9Mq8
6RO0bfGmWHFgxZKcJ9dCww8ifWPs1PtC1WjyMMc1WqYtwSyszzWLSHE=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Illinois/L=Chicago/O=Systems Aboot/OU=Oakbrook 17-102/CN=webmail.shekinya.net
issuer=/C=US/ST=Illinois/L=Chicago/O=Systems Aboot/OU=Oakbrook 17-102/CN=webmail.shekinya.net
---
No client certificate CA names sent
---
SSL handshake has read 1782 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: D94D828A118B3ACAFA4FD5DA202CD4DDABCCB6BF386F8BCD46BB6F949FCAB42F
    Session-ID-ctx:
    Master-Key: DE4E4528C428BD12F16CC46DF211D630BF447A7F916C1FEA0482E740153B0FC4F7E5ED775CFC999A8970E65ECF9D0FA1
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 71 05 b0 ca 87 55 8b fa-01 80 38 a7 8c bc 75 62   q....U....8...ub
    0010 - 17 c5 6e b0 30 02 98 f7-4c 0f 16 81 8d 45 03 62   ..n.0...L....E.b
    0020 - 38 70 87 b9 b8 5a 2f ae-8b d7 ed 21 c3 97 18 ad   8p...Z/....!....
    0030 - 49 fb fa d3 32 01 54 d4-7c 9a 69 c0 c3 0c 0c ae   I...2.T.|.i.....
    0040 - b9 45 58 7b c5 99 3a c3-4c 34 a4 76 e8 ff 18 bb   .EX{..:.L4.v....
    0050 - 22 11 51 ac 2d fa 44 16-bf 83 1b e7 52 ab 77 6f   ".Q.-.D.....R.wo
    0060 - 78 71 f2 b4 3e 68 80 b6-9c 12 d3 8e cc 1c 3d 9b   xq..>h........=.
    0070 - b4 04 6a 95 ff 8a 6f bb-55 38 ed 7e 55 96 db 35   ..j...o.U8.~U..5
    0080 - 52 c2 c2 f6 76 ab c5 53-45 14 27 84 03 9a 67 e1   R...v..SE.'...g.
    0090 - 4c 6f a6 be 9f 03 a6 13-66 ec b4 50 f1 52 7e d2   Lo......f..P.R~.
    00a0 - bf e4 26 ec 4d 04 e2 ae-d9 4a ec a5 53 30 9e 30   ..&.M....J..S0.0
    00b0 - 25 49 3b 77 f6 38 c9 ee-f4 41 b7 1f c6 47 b7 52   %I;w.8...A...G.R

    Start Time: 1453018106
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
:q!
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 root@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at webmail.shekinya.net Port 443</address>
</body></html>
closed
 
Old 01-17-2016, 05:58 AM   #4
eylli
LQ Newbie
 
Registered: Jun 2008
Posts: 17

Rep: Reputation: 2
Need help setting up SSL Cert on a Reverse Proxy
you have to trust exchange certificate on your reverse proxy. for security purposes just let some urls like excgangeserver/owa to open from reverse proxy not ecp.
 
Old 01-17-2016, 06:52 AM   #5
Treikayan
Member
 
Registered: Oct 2008
Location: Albany Park, Chicago IL
Distribution: RHEL 5.1 i386
Posts: 75

Original Poster
Rep: Reputation: 15
Thank you for that reply. Do you know how to do that? One thing I ended up doing on my Exchange Server was turn FBA off.

Plus one thing I keep seeing is that whenever I put the webmail link in, it keeps loading an expired cert in the browser (not the new one I created and referenced in my virtual host). How can I fix that?

Code:
[root@reverseproxy ~]# apachectl -t
Syntax OK
[root@emissary ~]#
Code:
[root@emissary conf.d]# curl -v https://webmail.shekinya.net
* About to connect() to webmail.shekinya.net port 443 (#0)
*   Trying 24.12.253.252... connected
* Connected to webmail.shekinya.net (24.12.253.252) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Remote Certificate has expired.
* NSS error -8181
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Reverse Proxy in Apache 2.2 + SLL Cert Problem Stvrosky Red Hat 3 08-21-2014 12:25 PM
Setting up Reverse Proxy With SSL Support On Apache And Multiple Addreses vglover Linux - Server 7 07-30-2012 05:00 PM
apache2 reverse proxy setting up 2 virtual hosts + ssl sana.ga Linux - Networking 0 06-14-2012 04:41 AM
SSL Reverse Proxy? Or what am I after? helptonewbie Linux - Newbie 5 01-18-2011 04:01 PM
Problems Setting Up SSL Cert Arty Ziff Linux - Server 2 05-19-2010 12:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:01 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration