"OHS 11g (mod_proxy) -- https -- OHS 11g" Setup Fails with NZ-29024 When SSLVerifyClient Set to Require (Doc ID 1218383.1)

Last updated on FEBRUARY 16, 2017

Applies to:

Oracle HTTP Server - Version 11.1.1.2.0 to 11.1.1.6.0 [Release Oracle11g]
Information in this document applies to any platform.
**Checked for relevance on 08-JAN-2014 ***

Symptoms

In a OHS 11g (a) <- mod_proxy / https -> OHS 11g (b) setup where we have "SSLVerifyClient require" in (b) <instance home>/config/OHS/<ohs instance>/ssl.conf to require a SSL client certificate, the handshake fails with the following errors in (b) error_log file:

2010-02-10T15:14:17.1431+01:00] [OHS] [ERROR:32] [] [http_core.c] [host_id: myhost] [host_addr: 10.174.108.109] [pid: 31529] [tid: 3011054480] [user: ias] [VirtualHost: myhost.mydomain:4444] NZ Library Error: Invalid X509 certificate chain [Hint: the client probably doesn't provide a valid client certificate]

[2010-02-10T15:14:17.1431+01:00] [OHS] [ERROR:32] [] [http_core.c] [host_id: myhost] [host_addr: 10.174.108.109] [pid: 31529] [tid: 3011054480] [user: ias] [VirtualHost: myhost.mydomain:4444] nzos handshake error, nzos_Handshake returned 29024(server myhost.mydomain:4444, client 10.167.241.19)

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms