[Mod_nss-list] nss.conf for doing maintenance
Cohen, Laurence
lcohen at novetta.com
Mon Aug 31 14:59:17 UTC 2015
Ok, I'll give this a shot. Thank you for your help.
On Mon, Aug 31, 2015 at 10:56 AM, Rob Crittenden <rcritten at redhat.com>
wrote:
> Cohen, Laurence wrote:
>
>> Thank you Standa,
>>
>> Option number 2 isn't possible at our site. Would you be able to
>> explain number 1 to me? I'm very green with mod_nss so I don't know how
>> to set this up.
>>
>
> The problem you're seeing is that in proxy mode, mod_nss is acting as a
> client and it doesn't trust or know the issuer of the server certificate it
> is contacting. So you need to get that CA cert (or chain) and add it to the
> mod_nss NSS database.
>
> You can add it ala:
>
> # certutil -A -d /etc/httpd/alias -n <some useful unique nickname> -t CT,,
> -a -i /path/to/ca.pem
>
> rob
>
>
>> Thanks,
>>
>> Larry C.
>>
>> On Mon, Aug 31, 2015 at 3:14 AM, stokos at suse.de <mailto:stokos at suse.de>
>> <stokos at suse.de <mailto:stokos at suse.de>> wrote:
>>
>> On Thu, 27 Aug 2015 14:36:06 -0400
>> "Cohen, Laurence" <lcohen at novetta.com <mailto:lcohen at novetta.com>>
>> wrote:
>>
>> Hi Laurence,
>>
>> > Hi,
>> >
>> > I'm trying to set up an nss.conf to use while we are doing
>> maintenance
>> > which will point all ssl traffic to a file called maintenance.html
>> > which simply states that we are doing maintenance on the server.
>> The
>> > rewrite.conf we have set up is working fine for port 80 traffic,
>> but
>> > the nss.conf is not working.
>> >
>> > Here are the errors I'm getting. BTW, we are using a self signed
>> cert
>> > because this is our test system. I figured this would cause an
>> info
>> > or at most a warning message, but not an error message.
>> >
>> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 0 established
>> > (server jamie-web1:443, client "Server IP")
>> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 established
>> > (server jamie-web1:443, client "Server IP")
>> > [Thu Aug 27 13:38:00 2015] [info] SSL input filter read failed.
>> > [Thu Aug 27 13:38:00 2015] [error] SSL Library Error: -12195 Peer
>> > does not recognize and trust the CA that issued your certificate
>> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 7 closed
>> (server
>> > jamie-web1.novetta.com:443 <http://jamie-web1.novetta.com:443>,
>> client Server IP)
>> > [Thu Aug 27 13:38:00 2015] [info] SSL library error -8172 writing
>> data
>> > [Thu Aug 27 13:38:00 2015] [info] SSL Library Error: -8172
>> > Certificate is signed by an untrusted issuer
>> > [Thu Aug 27 13:38:00 2015] [error] (20014)Internal error: proxy:
>> pass
>> > request body failed to 10.3.238.21:443 <http://10.3.238.21:443>
>>
>> (jamie-web1)
>> > [Thu Aug 27 13:38:00 2015] [error] proxy: pass request body failed
>> to
>> > Server IP:443 (jamie-web1) from Server IP ()
>> > [Thu Aug 27 13:38:00 2015] [info] Connection to child 1 closed
>> (server
>> > jamie-web1:443, client "Workstation IP")
>> >
>>
>> I suppose that this problem is with CA certificate on remote server:
>>
>> You have two possible solution:
>>
>> 1. add CA from remote server to your certificate database at PROXY
>> server
>> 2. build mod_nss with a patch from this email
>>
>>
>> PS: I have already worked on a similar problem for our customer.
>>
>> Have nice day
>>
>> Standa
>>
>> > This is the nss.conf I'm using.
>> >
>> > Listen 443
>> >
>> > AddType application/x-x509-ca-cert .crt
>> > AddType application/x-pkcs7-crl .crl
>> >
>> > NSSPassPhraseDialog file:/etc/httpd/.password.conf
>> > #NSSPassPhraseDialog builtin
>> >
>> > NSSPassPhraseHelper /usr/sbin/nss_pcache
>> >
>> > NSSSessionCacheSize 10000
>> > NSSSessionCacheTimeout 100
>> > NSSSession3CacheTimeout 86400
>> >
>> >
>> > NSSRandomSeed startup builtin
>> >
>> >
>> > <VirtualHost _default_:443>
>> >
>> > DocumentRoot "/var/www/docroot"
>> > NSSProxyCheckPeerCN Off
>> > NSSEngine on
>> > NSSProxyEngine on
>> > NSSEnforceValidCerts off
>> > NSSRenegotiation on
>> > NSSRequireSafeNegotiation on
>> >
>> > NSSCipherSuite
>> >
>>
>> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>> >
>> > NSSProxyCipherSuite
>> >
>>
>> +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>> >
>> > NSSProtocol TLSv1
>> > NSSNickname Server-Cert
>> > NSSCertificateDatabase /etc/httpd/alias
>> > NSSFIPS on
>> > NSSOCSP off
>> >
>> > ProxyPreserveHost On
>> >
>> >
>> > <Location />
>> > #SSLRenegBufferSize 52430000
>> > NSSVerifyClient optional
>> > NSSOptions +ExportCertData +StdEnvVars
>> > ProxyPass https://jamie-web1/maintenance.html
>> > ProxyPassReverse https://jamie-web1/maintenance.html
>> > </Location>
>> >
>> > <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>> > NSSOptions +StdEnvVars
>> > </Files>
>> > <Directory "/var/www/cgi-bin">
>> > NSSOptions +StdEnvVars
>> > </Directory>
>> >
>> >
>> > # initialize the SSL headers to a blank value to avoid http header
>> > forgeries RequestHeader set SSL_CLIENT_CERT ""
>> > RequestHeader set SSL_CIPHER ""
>> > RequestHeader set SSL_SESSION_ID ""
>> > RequestHeader set SSL_CIPHER_USEKEYSIZE ""
>> >
>> > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
>> > RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
>> > RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
>> > RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
>> >
>> > CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x
>> > %{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>> >
>> >
>> > ErrorLog /etc/httpd/logs/error_log
>> > TransferLog /etc/httpd/logs/access_log
>> > LogLevel info
>> >
>> > </VirtualHost>
>> >
>> > If anyone can help I'd appreciate it.
>> >
>> > Thanks,
>> >
>> > Larry Cohen
>>
>>
>> _______________________________________________
>> Mod_nss-list mailing list
>> Mod_nss-list at redhat.com <mailto:Mod_nss-list at redhat.com>
>> https://www.redhat.com/mailman/listinfo/mod_nss-list
>>
>>
>>
>>
>> --
>>
>> www.novetta.com
>>
>> Larry Cohen
>>
>> System Administrator
>>
>>
>> 12021 Sunset Hills Road, Suite 400
>>
>> Reston, VA 20190
>>
>> Email lcohen at novetta.com <http://novetta.com>
>>
>> Office 703-885-1064
>>
>>
>>
>> _______________________________________________
>> Mod_nss-list mailing list
>> Mod_nss-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/mod_nss-list
>>
>>
>
--
[image: www.novetta.com]
Larry Cohen
System Administrator
12021 Sunset Hills Road, Suite 400
Reston, VA 20190
Email lcohen at novetta.com
Office 703-885-1064
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20150831/509799da/attachment.htm>
More information about the Mod_nss-list
mailing list