Thank you for responding. Although this appeared to be a problem with the
CA, the reason that error was appearing was because we are using a
self-signed certificate. That part of it confused me too, but I realized I
could ignore it when I completely removed the ProxyPass and
ProxyPassReverse lines from the nss.conf file, and then got another error
about /var/www/docroot being denied by rule. I changed the directory rules
to look like this:
<Directory /var/www/docroot/>
Order allow,deny
Allow from all
AllowOverride None
Options None
</Directory>
<Directory />
Order deny,allow
Deny from all
AllowOverride None
Options None
</Directory>
Basically I just added the first rule above the bottom, existing rule. The
bottom one was disallowing every file on our webserver to be served.
Thanks,
Larry Cohen
On Tue, Mar 29, 2016 at 1:22 PM, Rob Crittenden <[email protected]> wrote:
> Cohen, Laurence wrote:
>
>> Hi everyone,
>>
>> I have what I hope is a simple question with a simple answer that I'm
>> just overlooking. I have a need to temporarily put our application in
>> maintenance mode, and display a static page from our web server stating
>> that the application is temporarily unavailable.
>>
>> The Web Server is Apache 2.2, and it contains Include lines for
>> rewrite.conf and nss.conf.
>>
>
> What I'm getting in the error log when I try to bring this up in a
>> browser is the following.
>>
>> [Sat Mar 26 05:11:22 2016] [info] Connection to child 5 established
>> (server testweb01.novetta.com:443 <http://testweb01.novetta.com:443>,
>> client x.x.16.58)
>> [Sat Mar 26 05:11:23 2016] [info] Initial (No.1) HTTPS request received
>> for child 5 (server testweb01.novetta.com:443
>> <http://testweb01.novetta.com:443>)
>> [Sat Mar 26 05:11:23 2016] [info] Requesting connection re-negotiation
>> [Sat Mar 26 05:11:26 2016] [info] Connection to child 0 established
>> (server testweb01.novetta.com:443 <http://testweb01.novetta.com:443>,
>> client x.x.238.91)
>> [Sat Mar 26 05:11:26 2016] [info] Connection to child 3 established
>> (server testweb01.novetta.com:443 <http://testweb01.novetta.com:443>,
>> client x.x.238.91)
>> [Sat Mar 26 05:11:26 2016] [info] SSL input filter read failed.
>> [Sat Mar 26 05:11:26 2016] [error] SSL Library Error: -12195 Peer does
>> not recognize and trust the CA that issued your certificate
>> [Sat Mar 26 05:11:26 2016] [info] Connection to child 3 closed (server
>> testweb01.novetta.com:443 <http://testweb01.novetta.com:443>, client
>> x.x.238.91)
>> [Sat Mar 26 05:11:26 2016] [info] SSL library error -8172 writing data
>> [Sat Mar 26 05:11:26 2016] [info] SSL Library Error: -8172 Certificate
>> is signed by an untrusted issuer
>> [Sat Mar 26 05:11:26 2016] [error] (20014)Internal error: proxy: pass
>> request body failed to 10.3.238.91:443 <http://10.3.238.91:443>
>> (testweb01.novetta.com <http://testweb01.novetta.com>)
>> [Sat Mar 26 05:11:26 2016] [error] proxy: pass request body failed to
>> x.x..238.91:443 (testweb01.novetta.com <http://testweb01.novetta.com>)
>> from x.x.16.58 ()
>> [Sat Mar 26 05:11:26 2016] [info] Connection to child 5 closed (server...
>>
>> I have tried this with :443 for the port in the nss.conf ProxyPass and
>> ProxyPassReverse statements, but it still doesn't work. Any ideas?
>>
>
> The server cert on testweb01.novetta.com was signed by an issuer that
> your web server doesn't know. You'd need to add that CA to the mod_nss
> certificate database (and probably restart Apache).
>
> rob
>
--
[image: www.novetta.com]
Larry Cohen
System Administrator
12021 Sunset Hills Road, Suite 400
Reston, VA 20190
Email [email protected]
Office 703-885-1064
_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list
