SSL_CLIENT_CERT_CHAIN not being passed to backend server
I have client certificate configured and working in Apache. I want to pass the PEM-encoded X.509 certificates of the client to the backend server.
I tried with the SSLOptions +ExportCertData. This does nothing at all, while the documentation states it should add SSL_SERVER_CERT, SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAINn (with n = 0,1,2,..) as headers. Any ideas why this option is not working?
I then tried setting the headers myself using RequestHeader. This works fine for all variables except SSL_CLIENT_CERT_CHAIN. It shows null in the header. Any ideas why the certificate chain is not being filled?
This is my first Apache configuration:
<VirtualHost 192.168.56.100:443>
ServerName www.test.org
ServerAdmin webmaster@localhost
DocumentRoot /var/www
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/apache2/ssl/certs/www.test.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/www.test.org.key
SSLCACertificateFile /etc/apache2/ssl/ca/ca.crt
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
<Location /carbon>
ProxyPass http://www.test.org:9763/carbon
ProxyPassReverse http://www.test.org:9763/carbon
</Location>
<Location /services/GbTestProxy>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +ExportCertData
ProxyPass http://www.test.org:8888/services/GbTestProxy
ProxyPassReverse http://www.test.org:8888/services/GbTestProxy
</Location>
</VirtualHost>
This is my second Apache configuration:
<VirtualHost 192.168.56.100:443>
ServerName www.test.org
ServerAdmin webmaster@localhost
DocumentRoot /var/www
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/apache2/ssl/certs/www.test.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/www.test.org.key
SSLCACertificateFile /etc/apache2/ssl/ca/ca.crt
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
<Location /carbon>
ProxyPass http://www.test.org:9763/carbon
ProxyPassReverse http://www.test.org:9763/carbon
</Location>
<Location /services/GbTestProxy>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +ExportCertData
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_SERVER_S_DN_CN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 "%{SSL_CLIENT_CERT_CHAIN_0}s"
RequestHeader set SSL_CLIENT_CERT_CHAIN_1 "%{SSL_CLIENT_CERT_CHAIN_1}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
ProxyPass http://www.test.org:8888/services/GbTestProxy
ProxyPassReverse http://www.test.org:8888/services/GbTestProxy
</Location>
</VirtualHost>
Hope someone can help.
Regards, nidkil
This is an old question, but I'll answer it in case someone else stumbles upon it like I did.
The issuer certificate is actually at position 0 in the chain from Apache, not 1. To get the issuer certificate you want:
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 "%{{SSL_CLIENT_CERT_CHAIN_0}}s"
SSLOptions +ExportCertData doesn't add headers to a proxied request, it adds environment variables -- the environment variables that you're trying to add to the headers in your second config (but they aren't in the environment then, since you dropped the SSLOptions config).
You'll need both the RequestHeader set config as well as SSLOptions +ExportCertData.