Ubuntu
apache2 package

Apache2 Certificate Chain Verification within Proxy not Working after dist-upgrade to focal

Bug #1930430 reported by Horst Platz
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apache2 Web Server
Fix Released
Medium
apache2 (Ubuntu)
Fix Released
Medium
Unassigned
Focal
Fix Released
Medium
Unassigned

Bug Description

[Impact]

 * Due to https://bz.apache.org/bugzilla/show_bug.cgi?id=63679 the
   Online Certificate Status Protocol (OCSP) fails in proxy mode.

 * The fix is simple (the wrong context was checked) and is upstream for
   a while without further changes.

 * Backporting that fix [1] resolves the use case

[1]: https://github.com/apache/httpd/commit/c11b1cd3b11f

[Test Plan]

 * Autopkgtest plus the steps that were outlined in comment 8 & 9.

 * [racb] Also see the request for further testing in comment 14.

[Where problems could occur]

 * Apache does many things, but the change "only" affects the ssl
   engine. Therefore unexpected problems would be around any sort
   of ssl activity.
   But the way the change works is actually ont he SSLVerify path,
   so it comes down to "making ssl connections" not e.g. later SSL
   transmission behavior or throughtput.

[Other Info]

 * If we manage to get a certbot system up on canonistack (as I did in
   the past) to hit this issue we will use that testbed instead of the
   local tests.

----

Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal

After dist-upgrade bionic -> focal and Apache Update

from: 2.4.29-1ubuntu4.14
to: 2.4.41-4ubuntu3.1

Overall I found a hint in

https://downloads.apache.org/httpd/CHANGES_2.4
[...]
  *) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
     [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
[...]

https://bz.apache.org/bugzilla/show_bug.cgi?id=63679

Backported to 2.4.x (r1872226), will be in the next release.

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=markup&pathrev=1872226

-> This is part of 2.4.42 <-

and a overall Question is can you please also backport that Version from
ssl_engine_kernel.c in your 2.4.41-4ubuntu3.1 Apache?

My Further on investigation. I Create a new VM with 20.04 an compile Apache

:~$ apt-get source apache2

The Only thing i do is to replace

:~$ apache2-2.4.41/modules/ssl/ssl_engine_kernel.c

with the downloaded Version from upstream Apache

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?revision=1872226&view=co&pathrev=1872226

The *.deb Packages i Saved away.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Reproduce the Error

Create a New VM with 20.04

:~# apt-get install apache2

:~# mkdir /etc/apache2/ssl
:~# vim /etc/apache2/ssl/letsencryt.crt

in letsencryt.crt has only the intermediate ans rootCA from letsencryt

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/apache2/sites-enabled/000-default.conf
<VirtualHost 127.0.0.1:80>
    ServerAdmin <email address hidden>
    ServerName localhost

    ProxyPreserveHost Off
    ProxyRequests Off

    SSLProxyEngine On
    SSLProxyVerify require
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On
    SSLProxyVerifyDepth 2
    SSLProxyCACertificateFile ssl/letsencryt.crt
    SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384
    SSLProxyProtocol -all +TLSv1.2

    ProxyPass / https://localhorst.org/

    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common
</VirtualHost>

:~# vim /etc/apache2/apache2.conf
LogLevel debug

:~# a2enmod proxy_http ssl

:~# systemctl restart apache2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I Create a local Firewall for better overview Block outgoing Traffic

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The Proxy crashed because -> connecting to OCSP responder. With the Apache
Version within bionic this does not happend. There is no connection to the
OCSP responder.

:~# curl http://127.0.0.1:80/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request<p>Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

:~# tail -f /var/log/apache2/error.log
[Tue Jun 01 14:04:11.286448 2021] [authz_core:debug] [pid 6009:tid 140286852331264] mod_authz_core.c(845): [client 127.0.0.1:47958] AH01628: authorization result: granted (no directives)
[Tue Jun 01 14:04:11.286530 2021] [proxy:debug] [pid 6009:tid 140286852331264] mod_proxy.c(1253): [client 127.0.0.1:47958] AH01143: Running scheme https handler (attempt 0)
[Tue Jun 01 14:04:11.286549 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (localhorst.org)
[Tue Jun 01 14:04:11.286588 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2379): [client 127.0.0.1:47958] AH00944: connecting https://localhorst.org/ to localhorst.org:443
[Tue Jun 01 14:04:11.288378 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2588): [client 127.0.0.1:47958] AH00947: connected / to localhorst.org:443
[Tue Jun 01 14:04:11.318587 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(3054): AH02824: HTTPS: connection established with 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:04:11.318697 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(3240): AH00962: HTTPS: connection complete to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:04:11.318726 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH01964: Connection to child 0 established (server localhost:80)
[Tue Jun 01 14:04:11.368501 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=DST Root CA X3,O=Digital Signature Trust Co. / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 44AFB080D6A327BA893039862EF8406B / notbefore: Sep 30 21:12:19 2000 GMT / notafter: Sep 30 14:01:15 2021 GMT]
[Tue Jun 01 14:04:11.369207 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=R3,O=Let's Encrypt,C=US / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 400175048314A4C8218C84A90C16CDDF / notbefore: Oct 7 19:21:40 2020 GMT / notafter: Sep 29 19:21:40 2021 GMT]
[Tue Jun 01 14:04:11.369934 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_ocsp.c(76): [remote 94.130.99.225:443] AH01918: no OCSP responder specified in certificate and no default configured
[Tue Jun 01 14:04:11.370521 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:04:11.517640 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_util_ocsp.c(96): [remote 94.130.99.225:443] AH01973: connecting to OCSP responder 'r3.o.lencr.org'
[Tue Jun 01 14:04:11.521410 2021] [ssl:error] [pid 6009:tid 140286852331264] (101)Network is unreachable: [remote 94.130.99.225:443] AH01974: could not connect to OCSP responder 'r3.o.lencr.org'
[Tue Jun 01 14:04:11.521875 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:04:11.529291 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH02003: SSL Proxy connect failed
[Tue Jun 01 14:04:11.529591 2021] [ssl:info] [pid 6009:tid 140286852331264] SSL Library Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[Tue Jun 01 14:04:11.529708 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH01998: Connection closed to child 0 with abortive shutdown (server localhost:80)
[Tue Jun 01 14:04:11.529999 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH01997: SSL handshake failed: sending 502
[Tue Jun 01 14:04:11.530169 2021] [proxy:error] [pid 6009:tid 140286852331264] (20014)Internal error (specific information not available): [client 127.0.0.1:47958] AH01084: pass request body failed to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:04:11.530288 2021] [proxy:error] [pid 6009:tid 140286852331264] [client 127.0.0.1:47958] AH00898: Error during SSL Handshake with remote server returned by /
[Tue Jun 01 14:04:11.530379 2021] [proxy_http:error] [pid 6009:tid 140286852331264] [client 127.0.0.1:47958] AH01097: pass request body failed to 94.130.99.225:443 (localhorst.org) from 127.0.0.1 ()
[Tue Jun 01 14:04:11.530482 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2340): AH00943: HTTPS: has released connection for (localhorst.org)

:~# tail -f /var/log/ulog/syslogemu.log
Jun 1 14:04:12 devubu2004 fw-net REJECT IN= OUT=enp0s3 MAC= SRC=10.0.2.15 DST=95.101.91.160 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=59096 DF PROTO=TCP SPT=52194 DPT=80 SEQ=2173056195 ACK=0 WINDOW=64240 SYN URGP=0 UID=33 GID=33 MARK=0
Jun 1 14:04:12 devubu2004 fw-net REJECT IN= OUT=enp0s3 MAC= SRC=10.0.2.15 DST=95.101.91.146 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=32240 DF PROTO=TCP SPT=40016 DPT=80 SEQ=508673920 ACK=0 WINDOW=64240 SYN URGP=0 UID=33 GID=33 MARK=0

:~$ host r3.o.lencr.org
r3.o.lencr.org is an alias for o.lencr.edgesuite.net.
o.lencr.edgesuite.net is an alias for a1887.dscq.akamai.net.
a1887.dscq.akamai.net has address 95.101.91.160
a1887.dscq.akamai.net has address 95.101.91.146
a1887.dscq.akamai.net has IPv6 address 2a02:26f0:10c::5f65:5a12
a1887.dscq.akamai.net has IPv6 address 2a02:26f0:10c::5f65:5ac0

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Try out open the local Firewall

:~# vim /etc/shorewall/rules
[...]
ACCEPT $FW net:95.101.91.160 tcp http
ACCEPT $FW net:95.101.91.146 tcp http

:~# systemctl reload shorewall

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Does not help crashed with the Following Error

:~$ curl http://127.0.0.1:80/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request<p>Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

:~# tail -f /var/log/apache2/error.log
[Tue Jun 01 14:08:02.137740 2021] [authz_core:debug] [pid 6009:tid 140286835545856] mod_authz_core.c(845): [client 127.0.0.1:47974] AH01628: authorization result: granted (no directives)
[Tue Jun 01 14:08:02.137793 2021] [proxy:debug] [pid 6009:tid 140286835545856] mod_proxy.c(1253): [client 127.0.0.1:47974] AH01143: Running scheme https handler (attempt 0)
[Tue Jun 01 14:08:02.137803 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (localhorst.org)
[Tue Jun 01 14:08:02.137810 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2379): [client 127.0.0.1:47974] AH00944: connecting https://localhorst.org/ to localhorst.org:443
[Tue Jun 01 14:08:02.137817 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2588): [client 127.0.0.1:47974] AH00947: connected / to localhorst.org:443
[Tue Jun 01 14:08:02.167485 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(3054): AH02824: HTTPS: connection established with 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:08:02.168160 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(3240): AH00962: HTTPS: connection complete to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:08:02.168655 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH01964: Connection to child 0 established (server localhost:80)
[Tue Jun 01 14:08:02.216198 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=DST Root CA X3,O=Digital Signature Trust Co. / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 44AFB080D6A327BA893039862EF8406B / notbefore: Sep 30 21:12:19 2000 GMT / notafter: Sep 30 14:01:15 2021 GMT]
[Tue Jun 01 14:08:02.217565 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=R3,O=Let's Encrypt,C=US / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 400175048314A4C8218C84A90C16CDDF / notbefore: Oct 7 19:21:40 2020 GMT / notafter: Sep 29 19:21:40 2021 GMT]
[Tue Jun 01 14:08:02.218976 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_ocsp.c(76): [remote 94.130.99.225:443] AH01918: no OCSP responder specified in certificate and no default configured
[Tue Jun 01 14:08:02.219265 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:08:02.358471 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(96): [remote 94.130.99.225:443] AH01973: connecting to OCSP responder 'r3.o.lencr.org'
[Tue Jun 01 14:08:02.386985 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(124): [remote 94.130.99.225:443] AH01975: sending request to OCSP responder
[Tue Jun 01 14:08:02.579215 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Server: nginx
[Tue Jun 01 14:08:02.581036 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Content-Type: application/ocsp-response
[Tue Jun 01 14:08:02.581749 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Content-Length: 503
[Tue Jun 01 14:08:02.581822 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: ETag: "17C919F5E6C36BB41BEAF2C8A1BD012BBFDC3157CAC59588FBFDAE973D089853"
[Tue Jun 01 14:08:02.581843 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Last-Modified: Mon, 31 May 2021 09:00:00 UTC
[Tue Jun 01 14:08:02.581859 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Cache-Control: public, no-transform, must-revalidate, max-age=43160
[Tue Jun 01 14:08:02.581875 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Expires: Wed, 02 Jun 2021 02:07:22 GMT
[Tue Jun 01 14:08:02.581891 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Date: Tue, 01 Jun 2021 14:08:02 GMT
[Tue Jun 01 14:08:02.581906 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Connection: close
[Tue Jun 01 14:08:02.581922 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(282): [remote 94.130.99.225:443] AH01987: OCSP response: got 503 bytes, 503 total
[Tue Jun 01 14:08:02.583980 2021] [ssl:error] [pid 6009:tid 140286835545856] AH01924: Bad OCSP responder answer (bad nonce)
[Tue Jun 01 14:08:02.585222 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:08:02.586201 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH02003: SSL Proxy connect failed
[Tue Jun 01 14:08:02.587160 2021] [ssl:info] [pid 6009:tid 140286835545856] SSL Library Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[Tue Jun 01 14:08:02.587226 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH01998: Connection closed to child 0 with abortive shutdown (server localhost:80)
[Tue Jun 01 14:08:02.587272 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH01997: SSL handshake failed: sending 502
[Tue Jun 01 14:08:02.587354 2021] [proxy:error] [pid 6009:tid 140286835545856] (20014)Internal error (specific information not available): [client 127.0.0.1:47974] AH01084: pass request body failed to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:08:02.587391 2021] [proxy:error] [pid 6009:tid 140286835545856] [client 127.0.0.1:47974] AH00898: Error during SSL Handshake with remote server returned by /
[Tue Jun 01 14:08:02.587407 2021] [proxy_http:error] [pid 6009:tid 140286835545856] [client 127.0.0.1:47974] AH01097: pass request body failed to 94.130.99.225:443 (localhorst.org) from 127.0.0.1 ()
[Tue Jun 01 14:08:02.587424 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2340): AH00943: HTTPS: has released connection for (localhorst.org)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Close the Firewall Again

:~# vim /etc/shorewall/rules
[...]
#ACCEPT $FW net:95.101.91.160 tcp http
#ACCEPT $FW net:95.101.91.146 tcp http

:~# systemctl reload shorewall

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Installed the self compiled apache Version withe the Pateched ssl_engine_kernel.c
Version

:~# cd /home/vagrant/deb/

:~# dpkg -i apache2_2.4.41-4ubuntu3.1_amd64.deb apache2-bin_2.4.41-4ubuntu3.1_amd64.deb apache2-data_2.4.41-4ubuntu3.1_all.deb apache2-utils_2.4.41-4ubuntu3.1_amd64.deb

:~# systemctl stop apache2
:~# systemctl start apache2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Apache Proxy is working again as expected

:~# curl http://127.0.0.1:80/
-> webite is comming

:~# tail -f /var/log/apache2/error.log
[Tue Jun 01 14:11:47.953485 2021] [authz_core:debug] [pid 7437:tid 140452002883328] mod_authz_core.c(845): [client 127.0.0.1:47980] AH01628: authorization result: granted (no directives)
[Tue Jun 01 14:11:47.953554 2021] [proxy:debug] [pid 7437:tid 140452002883328] mod_proxy.c(1253): [client 127.0.0.1:47980] AH01143: Running scheme https handler (attempt 0)
[Tue Jun 01 14:11:47.953570 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (localhorst.org)
[Tue Jun 01 14:11:47.953576 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2379): [client 127.0.0.1:47980] AH00944: connecting https://localhorst.org/ to localhorst.org:443
[Tue Jun 01 14:11:47.955415 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2588): [client 127.0.0.1:47980] AH00947: connected / to localhorst.org:443
[Tue Jun 01 14:11:47.985343 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(3054): AH02824: HTTPS: connection established with 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:11:47.985479 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(3240): AH00962: HTTPS: connection complete to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:11:47.985505 2021] [ssl:info] [pid 7437:tid 140452002883328] [remote 94.130.99.225:443] AH01964: Connection to child 0 established (server localhost:80)
[Tue Jun 01 14:11:48.034945 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(1759): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=DST Root CA X3,O=Digital Signature Trust Co. / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 44AFB080D6A327BA893039862EF8406B / notbefore: Sep 30 21:12:19 2000 GMT / notafter: Sep 30 14:01:15 2021 GMT]
[Tue Jun 01 14:11:48.035920 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(1759): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=R3,O=Let's Encrypt,C=US / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 400175048314A4C8218C84A90C16CDDF / notbefore: Oct 7 19:21:40 2020 GMT / notafter: Sep 29 19:21:40 2021 GMT]
[Tue Jun 01 14:11:48.036745 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(1759): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:11:48.067180 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(2249): [remote 94.130.99.225:443] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 01 14:11:48.068469 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_util_ssl.c(476): AH02412: [localhost:80] Cert matches for name 'localhorst.org' [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:11:48.227809 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2340): AH00943: https: has released connection for (localhorst.org)

Regards Horst

See original description

Related branches

~paelzer/ubuntu/+source/apache2:lp-1930430-ocsp-in-proxy-mode-FOCAL
Utkarsh Gupta (community): Approve
Canonical Server packageset reviewers: Pending requested
Canonical Server: Pending requested
Diff: 62 lines (+40/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/lp-1930430-Backport-r1865740.patch (+32/-0)
debian/patches/series (+1/-0)
Revision history for this message
In , Luhliari (luhliari) wrote :

Created attachment 36728
Patch fixing the bug

Hi all,

in the commit r1826995 a following change has been made to ssl_callback_SSLVerify function in ssl_engine_kernel.c:

- if (ok && sc->server->ocsp_enabled == TRUE) {
+ if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+ (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {

Instead of using sc->server, mctx should be used. It causes now weird behavior, since ocsp_mask is by default set to UNSET (which is -1, translated to signed int...). When proxy is set set on the same server, if-condition above will be true.

I'm proposing this change:

- if (ok && sc->server->ocsp_enabled) {
+ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {

It was working before, because ocsp_enabled was by default set to FALSE. ocsp_mask is UNSET by default now and is set either to proxy or server structure in sc. If sc with is_proxy is passed here, it will result in bug.

Attaching patch. Please merge it to 2.4.x if possible.

Revision history for this message
In , Ylavic-dev (ylavic-dev) wrote :

Thanks for spotting and the patch, applied in r1865740.
I will propose it for backport soon, waiting a bit for others' review.

Revision history for this message
In , Ylavic-dev (ylavic-dev) wrote :

Backported to 2.4.x (r1872226), will be in the next release.

Revision history for this message
In , tititou (christophe-jaillet) wrote :

This is part of 2.4.42

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote (last edit ):

Despite the fact that we did not reproduce the mentioned issue while performing the triage for this bug, we did verify that the buggy code, patched by https://bz.apache.org/bugzilla/show_bug.cgi?id=63679, is present in focal.

The patch is available at https://bz.apache.org/bugzilla/attachment.cgi?id=36728&action=diff

Changed in apache2 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Sergio Durigan Junior (sergiodj)
Changed in apache2 (Ubuntu Focal):
status: New → Triaged
importance: Undecided → Medium
Changed in apache2 (Ubuntu):
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in apache2:
importance: Unknown → Medium
status: Unknown → Fix Released
Revision history for this message
Horst Platz (hp-localhorst) wrote :

dear ubuntu/apache maintainer,

please excuse me my impatience. is there any release plan to get this fix final done in the focal apache? this bug stops my effort to continue the dist-upgrade(s) from bionic to focal.

regards horst

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thank you for your comment, Horst.

Although we were to able to determine that this bug has been fixed upstream, we still need to come up with a simple(r) reproducer for it. We appreciate the fact that you provided steps to reproduce the bug in the description; this is really useful. We are now trying to devise a test case that doesn't involve obtaining a Let's Encrypt certificate, since that's not something realistic when you're running local tests in a container.

Would you be able to help us with this? A step-by-step recipe which involves only self-signed certificates would be really appreciated.

Thank you.

Revision history for this message
Horst Platz (hp-localhorst) wrote :
Download full text (3.7 KiB)

hi sergio,

test with selfsign if i create selfsign there is no problem, because no chain no ocsp_uri inside ther cert.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~$ openssl s_client -showcerts -connect localhorst.org:443

:~$ vim localhorst.org.crt
-----BEGIN CERTIFICATE-----
MIIGXTCCBUWgAwIBAgISBCNdJoHGg0NSqEXm0XRZadzOMA0GCSqGSIb3DQEBCwUA
[...]
aW0N0xphYg5wtFU6uggKYxYBVRoqhn0D264eEYOeQt9MmHy2cD2y3MfB7OE4xT12
xA==
-----END CERTIFICATE-----

:~$ openssl x509 -in localhorst.org.crt -noout -ocsp_uri
http://r3.o.lencr.org

the ocsp_uri is comming from the lets encryt CA.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

when i am using selfsign. i create it in that way

SERVER=own.localhorst.org
openssl genrsa -out $SERVER.nopasskey 4096
openssl req -new -key $SERVER.nopasskey -out $SERVER.csr
openssl x509 -req -days 365 -in $SERVER.csr -signkey $SERVER.nopasskey -out $SERVER.crt

:~$ openssl x509 -in own.localhorst.org.crt -noout -ocsp_uri
-> no outlay

:~$ openssl x509 -text -in own.localhorst.org.crt
    Issuer: C = DE, ST = NRW, L = Cologne, O = localhorst, OU = localhorst, CN = own.localhorst.org
   Subject: C = DE, ST = NRW, L = Cologne, O = localhorst, OU = localhorst, CN = own.localhorst.org

-> no chain

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/hosts
127.0.0.1 proxy.localhorst.org
127.0.0.2 own.localhorst.org

:~# sh /usr/share/doc/apache2/examples/setup-instance own
:~# sh /usr/share/doc/apache2/examples/setup-instance proxy

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

i create a https apache

:~$ vim /etc/apache2-own/sites-enabled/own.conf
<VirtualHost 127.0.0.2:443>
  ServerName own.localhorst.org

  SSLEngine On
  SSLCertificateFile /etc/apache2-own/ssl/own.localhorst.org.crt
  SSLCertificateKeyFile /etc/apache2-own/ssl/own.localhorst.org.nopasskey

  DocumentRoot /var/www/html-own

  <Directory /var/www/html-own>
    DirectoryIndex index.html
    Options -Indexes
    AllowOverride None
    Require all granted
  </Directory>

  #LogLevel info ssl:warn

  ErrorLog ${APACHE_LOG_DIR}/own_error.log
  CustomLog ${APACHE_LOG_DIR}/own_access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

- - - - - - - - - - - - - - - - - - - - - - - - -

:~# mkdir /var/www/html-own
:~# vim /var/www/html-own/index.html
own

:~# curl -k https://own.localhorst.org
own

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

and a proxy apache

:~# vim /etc/apache2-proxy/sites-enabled/000-default.conf
<VirtualHost 127.0.0.1:80>
    ServerName proxy.localhorst.org

    ProxyPreserveHost Off
    ProxyRequests Off

    SSLProxyEngine On
    SSLProxyVerify require
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On
    SSLProxyVerifyDepth 0
    SSLProxyCACertificateFile /etc/apache2-own/ssl/own.localhorst.org.crt
    SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384
    SSLProxyProtocol -all +TLSv1.2

    ProxyPass / https://own.localhorst.org/

    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common
...

Read more...

Revision history for this message
Horst Platz (hp-localhorst) wrote :
Download full text (9.4 KiB)

hi sergio,

my be i have a solution with selfsign.

over all i recreate the apache packages with the new verion 2.4.41-4ubuntu3.3 and use only the patch with the tow rows involved.

then i found a descripion to create a rootCA with ocsp inside

https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html

i copy and paste it straight forward and got the files

enduser-example.com.key
enduser-example.com.crt
enduser-example.com.chain

and in the cert is a ocsp uri

:~# openssl x509 -in enduser-example.com.crt -noout -ocsp_uri
http://pki.sparklingca.com/ocsp/
http://pki.backup.com/ocsp/

at that point these ocsp responders dose not exists.

i reconfigure the apache from above with that selfsign cert

:~# vim /etc/apache2-own/sites-available/own.conf
<VirtualHost 127.0.0.2:443>
  ServerName own.localhorst.org

  SSLEngine On
  SSLCertificateFile /etc/apache2-own/ssl/enduser-example.com.crt
  SSLCertificateChainFile /etc/apache2-own/ssl/enduser-example.com.chain
  SSLCertificateKeyFile /etc/apache2-own/ssl/enduser-example.com.key

  DocumentRoot /var/www/html-own

  <Directory /var/www/html-own>
    DirectoryIndex index.html
    Options -Indexes
    AllowOverride None
    Require all granted
  </Directory>

  #LogLevel info ssl:warn

  ErrorLog ${APACHE_LOG_DIR}/own_error.log
  CustomLog ${APACHE_LOG_DIR}/own_access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/apache2-proxy/sites-enabled/000-default.conf
<VirtualHost 127.0.0.1:80>
    ServerName proxy.localhorst.org

    ProxyPreserveHost Off
    ProxyRequests Off

    SSLProxyEngine On
    SSLProxyVerify require
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On
    SSLProxyVerifyDepth 2
    SSLProxyCACertificateFile /etc/apache2-own/ssl/enduser-example.com.chain
    SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384
    SSLProxyProtocol -all +TLSv1.2

    ProxyPass / https://own.localhorst.org/

    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common
</VirtualHost>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# curl http://proxy.localhorst.org
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request<p>Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at proxy.localhorst.org Port 80</address>
</body></html>

:~# cat /var/log/apache2-proxy/error.log
[Fri Jul 02 15:59:51.503320 2021] [ssl:debug] [pid 61838:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: CN=Localhorst root CA,OU=local,O=ciss,L=Cologne,ST=NRW,C=DE
[Fri Jul 02 15:59:51.504788 2021] [ssl:debug] [pid 61838:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: OU=zzz,O=loca,C=DE,ST=NRW,CN=Localhorst intermediat CA
[Fri Jul 02 15:59:51.520258 2021] [ssl:debug] [pid 61839:tid 140404689173568] ssl_engine_init.c(2060): AH02209: CA certificate: CN=Lo...

Read more...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you, I think we have everything in place to check if this is SRUable by a backport.

@Sergio / @Athos - I missed before that this was blocked mostly on chained/real certificates :-/ Due to other fixes that I've done I have means to set up and drive real cerbot based tests on canonistack. I don't want to waste Horsts work on local-tests but to make things better I wanted to ask if we could do a joint session re-creating this so you can in future do that as well?

tags: added: server-next
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

SRU template added to the bug in preparation to entering the SRU process.

I've created a PPA with the identified change backported:
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4603/+packages

And a merge proposal along that
  https://code.launchpad.net/~paelzer/ubuntu/+source/apache2/+git/apache2/+merge/405164

@Horst - if you have a test setup around verifying if that PPA indeed helps would be awesome.

description: updated
Revision history for this message
Horst Platz (hp-localhorst) wrote :

hi christian,

looks good for me.

what i did on a test system more closer to production. to get things working with the buggy version revert the workaround to require

#SSLProxyVerify none
SSLProxyVerify require

pull your packages

wget https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4603/+files/apache2_2.4.41-4ubuntu3.4~focalppa1_amd64.deb
wget https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4603/+files/apache2-bin_2.4.41-4ubuntu3.4~focalppa1_amd64.deb
wget https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4603/+files/apache2-utils_2.4.41-4ubuntu3.4~focalppa1_amd64.deb
wget https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4603/+files/apache2-data_2.4.41-4ubuntu3.4~focalppa1_all.deb

and install it. in the logs no error

200 200 200 [05/Jul/2021:10:50:03.272 +0200] ...

cross check install the buggy version from the local apt cache. got 500'er

500 500 - [05/Jul/2021:10:56:03.629 +0200]

cross check again install your ppa version

200 200 200 [05/Jul/2021:10:58:03.291 +0200]

worked for me. fingers cross that a new version is comming soon in the official repository

thx horst

Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Horst, or anyone else affected,

Accepted apache2 into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apache2 (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Robie Basak (racb) wrote :

Accepted, but I wonder if it's worth testing that the regular non-proxy case OCSP check is still working correctly (for the various good/revoked/unknown/unreachable responses), as it'd be fairly disastrous from a security perspective if that regressed due to this update. Could this be done before landing this into focal-updates please?

description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (3.6 KiB)

I was testing the non-proxy case as requested by Robie.

@Horst - could you do the real proxy case testing?

P.S. After so many years of joking about "localhorst" is is great to meet THE localhorst :-)

Setup is following:
  https://cwiki.apache.org/confluence/display/httpd/OCSPStapling
After enabling ssl/letencrypt that means enabling OCSP like:
        SSLUseStapling On
        SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)
to /etc/apache2/mods-available/ssl.conf

After that testing is inspired by
https://www.digicert.com/kb/ssl-support/apache-enable-ocsp-stapling-on-server.htm

$ echo " " | openssl s_client -showcerts -connect apache-certbot-focal.dd-dns.de:443 -status |& grep -i ocsp
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Respons

I was updating that system to the version from proposed.
ubuntu@cpaelzer-amd64-certbot4:~$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  apache2 apache2-bin apache2-data apache2-utils libuv1
5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 standard security update
Need to get 1599 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://us.archive.ubuntu.com/ubuntu focal-proposed/main amd64 apache2 amd64 2.4.41-4ubuntu3.4 [95.5 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu focal-proposed/main amd64 apache2-bin amd64 2.4.41-4ubuntu3.4 [1180 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu focal-proposed/main amd64 apache2-data all 2.4.41-4ubuntu3.4 [159 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu focal-proposed/main amd64 apache2-utils amd64 2.4.41-4ubuntu3.4 [84.0 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu focal-security/main amd64 libuv1 amd64 1.34.2-1ubuntu1.3 [80.8 kB]
Fetched 1599 kB in 0s (42.0 MB/s)
(Reading database ... 126331 files and directories currently installed.)
Preparing to unpack .../apache2_2.4.41-4ubuntu3.4_amd64.deb ...
Unpacking apache2 (2.4.41-4ubuntu3.4) over (2.4.41-4ubuntu3.3) ...
Preparing to unpack .../apache2-bin_2.4.41-4ubuntu3.4_amd64.deb ...
Unpacking apache2-bin (2.4.41-4ubuntu3.4) over (2.4.41-4ubuntu3.3) ...
Preparing to unpack .../apache2-data_2.4.41-4ubuntu3.4_all.deb ...
Unpacking apache2-data (2.4.41-4ubuntu3.4) over (2.4.41-4ubuntu3.3) ...
Preparing to unpack .../apache2-utils_2.4.41-4ubuntu3.4_amd64.deb ...
Unpacking apache2-utils (2.4.41-4ubuntu3.4) over (2.4.41-4ubuntu3.3) ...
Preparing to unpack .../libuv1_1.34.2-1ubuntu1.3_amd64.deb ...
Unpacking libuv1:amd64 (1.34.2-1ubuntu1.3) over (1.34.2-1ubuntu1.1) ...
Setting up apache2-bin (2.4.41-4ubuntu3.4) ...
Setting up libuv1:amd64 (1.34.2-1ubuntu1.3) ...
Setting up apache2-data (2.4.41-4ubuntu3.4) ...
Setting up apache2-utils (2.4.41-4ubuntu3.4) ...
Setting up apache2 (2.4.41-4ubuntu3.4) ...
Processing triggers for ufw (0.36-6) ...
Processing triggers for systemd (245.4-4ubuntu3.7) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...

Restart due to the update was ...

Read more...

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apache2/2.4.41-4ubuntu3.4)

All autopkgtests for the newly accepted apache2 (2.4.41-4ubuntu3.4) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.44.1-1ubuntu1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#apache2

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Horst Platz (hp-localhorst) wrote :
Download full text (4.3 KiB)

from my perspective looks good with the new version from focal-proposed

p.s. @christian what should i say with that name and that kind of job :-)

what i did in detail. took the configs and the checks from above and test the proposed version. on a virtual test box and the more close produktion machine. each time i came from the current apache version.

:~# dpkg -l | grep apache2
ii apache2 2.4.41-4ubuntu3.3 amd64 Apache HTTP Server
ii apache2-bin 2.4.41-4ubuntu3.3 amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.41-4ubuntu3.3 all Apache HTTP Server (common files)
ii apache2-utils 2.4.41-4ubuntu3.3 amd64 Apache HTTP Server (utility programs for web servers)

switch on "SSLProxyVerify require" wait that the erros comming across and after installation from the proposed

:~# apt-get install apache2/focal-proposed
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Version »2.4.41-4ubuntu3.4« (Ubuntu:20.04/focal-proposed [amd64]) für »apache2« gewählt.
Version »2.4.41-4ubuntu3.4« (Ubuntu:20.04/focal-proposed [amd64]) für »apache2-bin« gewählt aufgrund von »apache2«.
Version »2.4.41-4ubuntu3.4« (Ubuntu:20.04/focal-proposed [all]) für »apache2-data« gewählt aufgrund von »apache2«.
Version »2.4.41-4ubuntu3.4« (Ubuntu:20.04/focal-proposed [amd64]) für »apache2-utils« gewählt aufgrund von »apache2«.
Die folgenden zusätzlichen Pakete werden installiert:
  apache2-bin apache2-data apache2-utils
Vorgeschlagene Pakete:
  apache2-doc apache2-suexec-pristine | apache2-suexec-custom www-browser
Die folgenden Pakete werden aktualisiert (Upgrade):
  apache2 apache2-bin apache2-data apache2-utils
4 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Es müssen 1.518 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n]
Holen:1 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apache2 amd64 2.4.41-4ubuntu3.4 [95,5 kB]
Holen:2 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apache2-bin amd64 2.4.41-4ubuntu3.4 [1.180 kB]
Holen:3 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apache2-data all 2.4.41-4ubuntu3.4 [159 kB]
Holen:4 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apache2-utils amd64 2.4.41-4ubuntu3.4 [84,0 kB]
Es wurden 1.518 kB in 1 s geholt (1.257 kB/s).
(Lese Datenbank ... 113215 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../apache2_2.4.41-4ubuntu3.4_amd64.deb ...
Entpacken von apache2 (2.4.41-4ubuntu3.4) über (2.4.41-4ubuntu3.3) ...
Vorbereitung zum Entpacken von .../apache2-bin_2.4.41-4ubuntu3.4_amd64.deb ...
Entpacken von apache2-bin (2.4.41-4ubuntu3.4) über (2.4.41-4ubuntu3.3) ...
Vorbereitung zum Entpacken von .../apache2-data_2.4.41-4ubuntu3.4_all.deb ...
Entpacken von apache2-data (2.4.41-4ubuntu3.4) über (2.4.41-4ubuntu3.3) ...
Vorbereitung zum Entpacken von .../apa...

Read more...

tags: added: verification-done-focal
removed: verification-needed-focal
Christian Ehrhardt  (paelzer)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.41-4ubuntu3.4

---------------
apache2 (2.4.41-4ubuntu3.4) focal; urgency=medium

  * d/p/lp-1930430-Backport-r1865740.patch: fix OCSP in proxy mode
    (LP: #1930430)

 -- Christian Ehrhardt <email address hidden> Mon, 05 Jul 2021 09:16:56 +0200

Changed in apache2 (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for apache2 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.