When using mod_proxy with SSL in front of JBoss ON, mod_proxy logs warning: downstream server wanted client certificate but none are configured
Environment
- JBoss Operations Network (ON) 3.1
- Apache Web Server using
mod_proxyin front of JBoss ON user-interface (UI)- 'mod_proxy' address is using TLS/SSL encryption with client authentication disabled
Issue
-
We see the following warning repeatedly in the Apache error log when a client connects:
[warn] Proxy client certificate callback: (jon-proxy.myhost.com:443) downstream server wanted client certificate but none are configured -
Connection problems with server
- Some clients fail to get the login prompt from the server
- Login page just clocks in the browser
- Server is requesting a client certificate
- Is there a way to disable the use of client certificates on the server side?
Resolution
If client authentication is not in use, set the rhq.server.tomcat.security.client-auth-mode property in rhq-server.properties to false and restart the JBoss ON server.
Root Cause
By default, the JBoss ON server configuration sets Tomcat's clientAuth property for its SSL connector to want. This will prompt the client for a certificate and use the certificate if the client provides one. If mod_proxy is not configured to provide a client certificate, it logs a warning to identify that a request was made but no client certificate was available.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments