Isuru Gunawardana
Reputation: 2887
WSO2 ESB with Apache Load Balancer : Cert does not match for name
I have setup two esb servers (clustered) in different AWS instance, and I'm using Apache LB to do the load balancing part. I can't specify IP of other instance (or even the same instance) as it gives the following security issue which can be found in the apapche error.log But I can use localhost instead of the ip (for the same server) and it work. My apache config is below to the error log. I think I need to add a certificate to the esb's client store. If it is so please guide me how to do that (I tried specifying the IP as CN but no luck). Or else what am I doing wrong here?
[Tue Oct 06 15:55:52.803633 2015] [proxy:debug] [pid 16827:tid 140445371795200] proxy_util.c(2610): AH00962: HTTPS: connection complete to 172.31.25.41:9443 (172.31.25.41)
[Tue Oct 06 15:55:52.803645 2015] [ssl:info] [pid 16827:tid 140445371795200] [remote 172.31.25.41:9443] AH01964: Connection to child 0 established (server esb.wso2.com:443)
[Tue Oct 06 15:55:52.824988 2015] [ssl:debug] [pid 16827:tid 140445371795200] ssl_engine_kernel.c(1381): [remote 172.31.25.41:9443] AH02275: Certificate Verification, depth 0, CRL checking mode: none [subject: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / issuer: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / serial: 4B7E3782 / notbefore: Feb 19 07:02:26 2010 GMT / notafter: Feb 13 07:02:26 2035 GMT]
[Tue Oct 06 15:55:52.825028 2015] [ssl:debug] [pid 16827:tid 140445371795200] ssl_engine_kernel.c(1381): [remote 172.31.25.41:9443] AH02275: Certificate Verification, depth 0, CRL checking mode: none [subject: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / issuer: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / serial: 4B7E3782 / notbefore: Feb 19 07:02:26 2010 GMT / notafter: Feb 13 07:02:26 2035 GMT]
[Tue Oct 06 15:55:52.846640 2015] [ssl:debug] [pid 16827:tid 140445371795200] ssl_engine_kernel.c(1844): [remote 172.31.25.41:9443] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-DES-CBC3-SHA (168/168 bits)
[Tue Oct 06 15:55:52.846678 2015] [ssl:debug] [pid 16827:tid 140445371795200] ssl_util_ssl.c(407): AH02412: [esb.wso2.com:443] Cert does not match for name '172.31.25.41' [subject: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / issuer: CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US / serial: 4B7E3782 / notbefore: Feb 19 07:02:26 2010 GMT / notafter: Feb 13 07:02:26 2035 GMT]
[Tue Oct 06 15:55:52.846684 2015] [ssl:info] [pid 16827:tid 140445371795200] [remote 172.31.25.41:9443] AH02411: SSL Proxy: Peer certificate does not match for hostname 172.31.25.41
[Tue Oct 06 15:55:52.846697 2015] [ssl:info] [pid 16827:tid 140445371795200] [remote 172.31.25.41:9443] AH01998: Connection closed to child 0 with abortive shutdown (server esb.wso2.com:443)
[Tue Oct 06 15:55:52.846716 2015] [proxy:error] [pid 16827:tid 140445371795200] (502)Unknown error 502: [client 123.231.123.216:42158] AH01084: pass request body failed to 172.31.25.41:9443 (172.31.25.41)
[Tue Oct 06 15:55:52.846730 2015] [proxy:error] [pid 16827:tid 140445371795200] [client 123.231.123.216:42158] AH00898: Error during SSL Handshake with remote server returned by /
[Tue Oct 06 15:55:52.846733 2015] [proxy_http:error] [pid 16827:tid 140445371795200] [client 123.231.123.216:42158] AH01097: pass request body failed to 172.31.25.41:9443 (172.31.25.41) from 123.231.123.216 ()
[Tue Oct 06 15:55:52.846736 2015] [proxy:debug] [pid 16827:tid 140445371795200] proxy_util.c(2035): AH00943: HTTPS: has released connection for (172.31.25.41)
[Tue Oct 06 15:55:52.846759 2015] [proxy_balancer:debug] [pid 16827:tid 140445371795200] mod_proxy_balancer.c(668): [client 123.231.123.216:42158] AH01176: proxy_balancer_post_request for (balancer://ssl.wso2.esb.com)
Apache config.
<VirtualHost *:443>
ServerName mgt.esb.wso2.com
ProxyRequests off
LogLevel debug
ProxyPass / https://<pvt_ip>:9443/carbon/ *** I can use localhost here and it work
ProxyPassReverse / https://<pvt_ip>:9443/carbon/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/mgt.crt
SSLCertificateKeyFile /etc/apache2/ssl/mgt.key
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
</VirtualHost>
Upvotes: 0
Views: 1146
Answers (1)
Isuru Gunawardana
Reputation: 2887
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
I added the following configs to apache config file and could resolve the issue, but what it does is, it stops comparing the CN, PeerName or Expiration.
Upvotes: 0
Related Questions
- How can I resolve the error "certificate subject name does not match target host name"?
- certificate https endpoint in wso2 esb
- WSO2 ESB Axis2 Service throwing Host name verification failed for host
- WSo2 ESB SSL certs
- WSO2 ESB SSL handshake failure
- WSO2 Enterprise Store 1.0.0: setting hostname
- wso2esb "Unable to validate SSL Certificate"
- 'Localhost' used as Common name in the default WSo2 certificate creates No Subject Alternative Name found
- WSO2ESB 4.5.1 axi2 property ssl.client.auth.cert.X509 is always NULL
- WSO2 ESB adding a secure endpoint with custom certificate