Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Error during SSL Handshake with remote server

I have Apache2 (listening on 443) and a web app running on Tomcat7 (listening on 8443) on Ubuntu.

I set apache2 as reverse proxy so that I access the web app through port 443 instead of 8443. Besides, I need to have SSL communication not only between browser and apache2 but also between apache2 and tomcat7, thus I set SSL on both apache2 and tomcat7. If I try to access the web app by directly contacting tomcat7, everything is fine. The problem is that when I try to access the tomcat's web app through apache2 (reverse proxy), on the browser appears the error:

Proxy Error
The proxy server could not handle the request GET /web_app.
Reason: Error during SSL Handshake with remote server
like image 864
user2791481 Avatar asked Sep 18 '13 12:09

user2791481


People also ask

How do I fix error during SSL handshake with remote server?

Checking if there is an additional ssl. conf file which has replaced or added while copying the *. conf file during the transition of 2.2 to 2.4, This can cause conflicts as both the files will have the same directives and none of them will respond, Removing one of them and restarting httpd will fix the issue.

How do I fix TLS handshake failure?

The fastest way to fix this SSL/TLS handshake error-causing issue is just to reset your browser to the default settings and disable all your plugins. From there, you can configure the browser however you want, testing your connection with the site in question as you tweak things.

What is Proxy error reading from remote server?

This means that a server (not necessarily a web server) acting as a gateway or proxy and received an invalid response from an upstream (or origin) server. In most cases the problem is not with you computer or your internet connection , it's far more likely that it's the website's server instead.

What happens if SSL handshake fails?

A TLS/SSL handshake failure occurs when a client and server cannot establish communication using the TLS/SSL protocol. When this error occurs in Apigee Edge, the client application receives an HTTP status 503 with the message Service Unavailable.


5 Answers

The comment by MK pointed me in the right direction.

In the case of Apache 2.4 and up, there are different defaults and a new directive.

I am running Apache 2.4.6, and I had to add the following directives to get it working:

SSLProxyEngine on
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
like image 56
mydoghasworms Avatar answered Oct 03 '22 12:10

mydoghasworms


I have 2 servers setup on docker, reverse proxy & web server. This error started happening for all my websites all of a sudden after 1 year. When setting up earlier, I generated a self signed certificate on the web server.

So, I had to generate the SSL certificate again and it started working...

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ssl.key -out ssl.crt

like image 24
Rehmat Avatar answered Oct 05 '22 12:10

Rehmat


Faced the same problem as OP:

  • Tomcat returned response when accessing directly via SOAP UI
  • Didn't load html files
  • When used Apache properties mentioned by the previous answer, web-page appeared but AngularJS couldn't get HTTP response

Tomcat SSL certificate was expired while a browser showed it as secure - Apache certificate was far from expiration. Updating Tomcat KeyStore file solved the problem.

like image 32
Justinas Jakavonis Avatar answered Oct 01 '22 12:10

Justinas Jakavonis


On a remote OEL (Oracle Enterprise Linux) 7.8 server, i have a backend web application running with HTTPS/8009. As its a third party app, I did not have choice to disable SSL or change port.

As i needed to access the web app from my local machine's browser, i thought of setting up a reverse proxy (HTTP to HTTPS mapping) using Apache httpd. Now i can access the web app from my local browser through below URL:

http://10.157.146.97:1234/

FYI, CURL commands working inside the Linux Machine were below ones:

curl http://10.157.146.97:1234/
curl -k https://localhost:8009/

Here is my reverse proxy setup :

/etc/httpd/conf/httpd.conf

Listen 1234

<VirtualHost *:1234>
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyPass / https://localhost:8009/
ProxyPassReverse / https://localhost:8009/
</VirtualHost>

One aspect i struggled a lot, earlier i was trying with url pattern (/sample) in ProxyPass/ProxyPassReverse but that was causing HTTP 404 (not found) for css/js files as web-app's welcome page contains indirect css/js paths (sample code below). So replacing url pattern (/sample) with (/) solved that problem too.

previous Not working config:
ProxyPass /sample https://localhost:8009/
ProxyPassReverse /sample https://localhost:8009/

<script defer src="abc.js"></script><link href="xyz.css" rel="stylesheet"></head>  
like image 32
nirmalsingh Avatar answered Oct 02 '22 12:10

nirmalsingh


Here is my variation on this theme, inspired by this Git gist. The server is a Docker container with an internal self-signed SSL certificate, reachable at https://localhost:8443. Proxied to server.example.org:443. Relevant config details:

<VirtualHost AAA.BBB.CCC.DDD:443>
    ServerName server.example.org

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # These settings are definitely needed
    SSLEngine On
    SSLProxyEngine On
    ProxyRequests Off
    SSLProxyVerify none 
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    # These may not be needed, depending on proxied application
    ProxyPreserveHost on
    RequestHeader set X-Forwarded-Proto https

    ProxyPass "/" "https://localhost:8443/"
    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) "wss://localhost:8443/$1" [P,L]
    ProxyPassReverse "/" "https://localhost:8443/"
</VirtualHost>

The section between SSLEngine On and RequestHeader... I put together via Googling and trial and error. Maybe some of these settings are not needed, YMMV.

Note: the RewriteRule with "wss" was needed because the server uses secure websockets.

Platform: Ubuntu 20.04.3 LTS, Apache 2.4.41.

like image 24
Laryx Decidua Avatar answered Oct 05 '22 12:10

Laryx Decidua