Description of problem: After upgrading from httpd-2.4.29-1.fc27.x86_64 to latest httpd-2.4.33-2.fc27.x86_64
reverse proxy has stopped working and I get error logs
[Wed Apr 11 23:20:23.596423 2018] [core:notice] [pid 7:tid 140093022845184] AH00094: Command line: 'httpd -d /etc/httpd/ -e info -D FOREGROUND' [Wed Apr 11 23:20:28.215140 2018] [proxy:error] [pid 12:tid 140092236625664] AH00961: HTTPS: failed to enable ssl support for 172.23.0.3:8443 (dogtag-10-5-6.dogtag-nw) [Wed Apr 11 23:20:28.546692 2018] [proxy:error] [pid 12:tid 140092323849984] AH00961: HTTPS: failed to enable ssl support for 172.23.0.3:8443 (dogtag-10-5-6.dogtag-nw)
virtual host configuration: <VirtualHost *:443> ServerName dogtag2.bit.space NSSEngine on <Proxy *> Require all granted </Proxy> NSSProxyEngine on NSSNickname dogtag2.bit.space <Location / > ProxyPass https://dogtag-10-5-6.dogtag-nw:8443/ ProxyPassReverse https://dogtag-10-5-6.dogtag-nw:8443/ </Location> </VirtualHost>
Version-Release number of selected component (if applicable): 2.4.33-2
How reproducible: 100%
Steps to Reproduce: 1. Install version 2.4.29 2. Install mod_nss 3. Create and save certificate/key in nssdb 4. Configure reverse proxy 5. Test to see that everything works 6. Upgrade to 2.4.33 7. Boom. No reverse proxy and error messages in log.
Actual results: HTTP 500 Internal Server Error
Expected results: Working reverse proxy to internal https site.
Additional info: After opening an bug-report https://bugzilla.redhat.com/show_bug.cgi?id=1566511 we concluded that an interface has been broken in 2.4.33 and -multiproxy patch needs updating.
Metadata Update from @rcritten: - Issue assigned to rcritten
Metadata Update from @rcritten: - Custom field type adjusted to None
mod_proxy has a new ssl-related function, ssl_engine_set, which was unimplemented in mod_nss.
I have a F27 test build up at https://koji.fedoraproject.org/koji/taskinfo?taskID=26332491 which implements basic support if you want to give it a try.
There could be issues if mod_ssl is also installed and configured. Fixing that will require a change to httpd-2.4.18-sslmultiproxy.patch which I'll start working on next.
Metadata Update from @rcritten: - Issue set to the milestone: mod_nss-1.0.18
I installed https://kojipkgs.fedoraproject.org//work/tasks/2492/26332492/mod_nss-1.0.14-7.fc27.x86_64.rpm and it worked. No need for mod_ssl. Great fix and looking forward for 1.0.18.
master: bce2166
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.