apache reverse-proxy error

[mqu]

Description of problem

I have Kiwi-TCSM 13.5 behind apache reverse-proxy having this error when I open URL of application (error 500) :

Proxy Error
The proxy server could not handle the request

Reason: Error during SSL Handshake with remote server

Version or commit hash (if applicable)

Kiwi-TCSM 13.5

---

did not understand why having this error, tried many things before finding internal Kiwi-TCMS certificate was expired :

openssl s_client -connect localhost:EXTERNAL-PORT
...
Certificate chain
 0 s:C = BG, L = Sofia, O = Kiwi TCMS, OU = Quality Engineering, CN = buildkitsandbox
   i:C = BG, L = Sofia, O = Kiwi TCMS, OU = ca-9030488614878644057, CN = buildkitsandbox
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  6 20:03:40 2024 GMT; NotAfter: Sep  8 20:03:40 2025 GMT

apache configuration

Applying this configuration allow Apache Reverse-proxy to deliver Kiwi-TCSM again (SSLProxyCheckPeerExpire):

    SSLProxyEngine On
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off
    SSLProxyVerify none
    SSLProxyCheckPeerExpire off

It is now impossible to make Kiwi-TCSM expose on HTTP (80) port without SSL. Default certificate is not (may not) be valid for 10 years.

related links and docs

• https://kiwitcms.readthedocs.io/en/latest/installing_docker.html
• issue Remove HTTPS and SSL #997 - Remove HTTPS and SSL
• enable plain text HTTP access option (KIWI_DONT_ENFORCE_HTTPS) disabled

[mqu]

Certificate is generated at docker image build time, with sscg utility.

It may be usefull to extend certificate lifetime to 2 ou 3 years, using option : --lifetime 1095

best regards, Marc.