proxy:error AH00898: Error during SSL Handshake with remote server

I have a server that acts as a front-end for a cPanel mailserver in a network. The apache proxy on the front-end server ran for 152 days without fault then suddenly I now get 500/502 errors when using it to access the webmail clients of the mailserver.

The front-end server uses a signed SSL cert, the cPanel sever is using a self signed cert. Here is the error log output from the front-end server when it first started happening:

[Tue Sep 10 18:22:52.959291 2013] [proxy:error] [pid 19531] (502)Unknown error 502: [client 173.xx.xx.xx:9558] AH01084: pass request body failed to 184.xx.xx.xx:2096 (184.xx.xx.xx), referer: https://domain.com:2096/cpsess12385596/3rdparty/roundcube/?_task=mail&_refresh=1&_mbox=INBOX

[Tue Sep 10 18:22:52.959469 2013] [proxy:error] [pid 19531] [client 173.xx.xx.xx:9558] AH00898: Error during SSL Handshake with remote server returned by /cpsess12385596/3rdparty/roundcube/, referer: https://domain.com:2096/cpsess12385596/3rdparty/roundcube/?_task=mail&_refresh=1&_mbox=INBOX

The front-end server is an EC2 instance running Apache/2.4.6 (Amazon) My VirtualHost setup for the proxy on this server is as follows:

< VirtualHost *:2096> ServerName domain.com

SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off

SSLCertificateFile /x/x/x/domain.com.crt
SSLCertificateKeyFile /x/x/x/domain.com.key
SSLCACertificateFile /x/x/x/domain.com.cabundle

ProxyPass / https://184.xx.xx.xx:2096/
ProxyPassReverse / https://184.xx.xx.xx:2096/
ProxyPassReverseCookieDomain 184.xx.xx.xx:2096 domain.com
ProxyPassReverseCookiePath / /

SetOutputFilter INFLATE;proxy-html;DEFLATE
ProxyHTMLURLMap https://184.xx.xx.xx:2096 /

< /VirtualHost>

As far as I can think nothing has changed on the front-end server, I didn't do an update or anything, once noticing this problem and fiddling with no success I tried a restart on both servers but it did nothing to fix this.

Any suggestions?


Came across the same issue with Server version: Apache/2.4.6

As per the documentation at [1], "In 2.4.5 and later, SSLProxyCheckPeerCN has been superseded by SSLProxyCheckPeerName, and its setting is only taken into account when SSLProxyCheckPeerName off is specified at the same time."

So adding following entry did the trick:

SSLProxyCheckPeerName off

So my working config looks like...

    ProxyRequests Off

    SSLEngine On
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off

    SSLCertificateFile /x/x/keys/server.crt
    SSLCertificateKeyFile /x/x/keys/server.key

[1] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html


If the backend server uses out-of-date self signed certificate, one more option is needed (if there is no access to the backend server):

SSLProxyCheckPeerExpire off

I'm also getting the same error but in my case, the accepted answer here solved this error: https://stackoverflow.com/questions/47718508/apache-proxypass-https-and-remote-server-with-sni

I added

ProxyAddHeaders off
ProxyPreserveHost off