[Mod_nss-list] Problem with Apache reverse proxy and mod_nss

Rob Crittenden rcritten at redhat.com
Thu Feb 3 14:09:48 UTC 2011 

Liran ... wrote:
> Hi
> attached 2 configuration files, 1 for httpd.conf and nss.conf
>
> I have a webserver that running on port 9090 that can accept SSL traffic
>
> When I try to reach to this webserver through HTTPS, I see in
> nss_error.log file this errors:
> [Thu Feb 03 11:48:26 2011] [debug] mod_proxy_http.c(56): proxy: HTTP:
> canonicalising URL //192.168.2.100:9090/basics.html
> <http://192.168.2.100:9090/basics.html>
> [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(1513): [client
> 192.168.1.81] proxy: *: found reverse proxy worker for
> https://192.168.2.100:9090/basics.html
> [Thu Feb 03 11:48:26 2011] [debug] mod_proxy.c(993): Running scheme
> https handler (attempt 0)
> [Thu Feb 03 11:48:26 2011] [debug] mod_proxy_http.c(1940): proxy: HTTP:
> serving URL https://192.168.2.100:9090/basics.html
> [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(1999): proxy: HTTPS: has
> acquired connection for (*)
> [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2055): proxy: connecting
> https://192.168.2.100:9090/basics.html to 192.168.2.100:9090
> <http://192.168.2.100:9090>
> [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2153): proxy: connected
> /basics.html to 192.168.2.100:9090 <http://192.168.2.100:9090>
> [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2308): proxy: HTTPS: fam
> 2 socket created to connect to *
> [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2414): proxy: HTTPS:
> connection complete to 192.168.2.100:9090 <http://192.168.2.100:9090>
> (192.168.2.100)
> [Thu Feb 03 11:48:26 2011] [info] Connection to child 0 established
> (server sssss:443, client 192.168.2.100)
> [*_Thu Feb 03 11:48:26 2011] [info] SSL library error -8181 writing data_*
> *_[Thu Feb 03 11:48:26 2011] [info] SSL Library Error: -8181 Certificate
> has expired_*
> [Thu Feb 03 11:48:26 2011] [error] (20014)Internal error: proxy: pass
> request body failed to 192.168.2.100:9090 <http://192.168.2.100:9090>
> (192.168.2.100)
> [Thu Feb 03 11:48:26 2011] [error] proxy: pass request body failed to
> 192.168.2.100:9090 <http://192.168.2.100:9090> (192.168.2.100) from
> 192.168.1.81 ()
> [Thu Feb 03 11:48:26 2011] [debug] proxy_util.c(2017): proxy: HTTPS: has
> released connection for (*)
> [Thu Feb 03 11:48:26 2011] [debug] nss_engine_io.c(655): SSL connection
> destroyed without being closed
> [Thu Feb 03 11:48:26 2011] [info] Connection to child 0 closed (server
> sssss:443, client 192.168.1.81)
>
> I don't know why the APR thinks that the certificate has expired, it's
> issued @ 2010 and the expiration date is 2016
>
> Your help is needed, Thanks

The Certificate expired error comes from deep with the NSS library.

Is there a reason you have NSSEnforceValidCerts off in nss.conf?

What distro are you running and what version of mod_nss?

thanks

rob

More information about the Mod_nss-list mailing list