<div dir="ltr"><div><div><div><div><div><div>Hi, </div>I'm trying to set up an nss.conf to use while we are doing maintenance which will point all ssl traffic to a file called maintenance.html which simply states that we are doing maintenance on the server. The rewrite.conf we have set up is working fine for port 80 traffic, but the nss.conf is not working. </div>Here are the errors I'm getting. BTW, we are using a self signed cert because this is our test system. I figured this would cause an info or at most a warning message, but not an error message. [Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established (server jamie-web1:443, client "Server IP") [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established (server jamie-web1:443, client "Server IP") [Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed. [Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed (server <a href="http://jamie-web1.novetta.com:443">jamie-web1.novetta.com:443</a>, client Server IP) [Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing data [Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172 Certificate is signed by an untrusted issuer [Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy: pass request body failed to <a href="http://10.3.238.21:443">10.3.238.21:443</a> (jamie-web1) [Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed to Server IP:443 (jamie-web1) from Server IP () [Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed (server jamie-web1:443, client "Workstation IP") </div>This is the nss.conf I'm using. Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseDialog file:/etc/httpd/.password.conf #NSSPassPhraseDialog builtin NSSPassPhraseHelper /usr/sbin/nss_pcache NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSRandomSeed startup builtin <VirtualHost _default_:443> DocumentRoot "/var/www/docroot" NSSProxyCheckPeerCN Off NSSEngine on NSSProxyEngine on NSSEnforceValidCerts off NSSRenegotiation on NSSRequireSafeNegotiation on NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProxyCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSFIPS on NSSOCSP off ProxyPreserveHost On <Location /> #SSLRenegBufferSize 52430000 NSSVerifyClient optional NSSOptions +ExportCertData +StdEnvVars ProxyPass <a href="https://jamie-web1/maintenance.html">https://jamie-web1/maintenance.html</a> ProxyPassReverse <a href="https://jamie-web1/maintenance.html">https://jamie-web1/maintenance.html</a> </Location> <Files ~ "\.(cgi|shtml|phtml|php3?)$"> NSSOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> NSSOptions +StdEnvVars </Directory> # initialize the SSL headers to a blank value to avoid http header forgeries RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CIPHER "" RequestHeader set SSL_SESSION_ID "" RequestHeader set SSL_CIPHER_USEKEYSIZE "" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s" RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s" RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s" CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ErrorLog /etc/httpd/logs/error_log TransferLog /etc/httpd/logs/access_log LogLevel info </VirtualHost> </div>If anyone can help I'd appreciate it. </div>Thanks, </div>Larry Cohen </div>