How to Fix Apache SSL Input Filter Read Failed and Request Header Timeout Errors with Self-Signed Certificates


2 views

When working with self-signed SSL certificates in Apache on localhost, you might encounter these seemingly conflicting scenarios:

AH01964: Connection to child 0 established
(70014)End of file found: [client 127.0.0.1:32839] AH01991: SSL input filter read failed
[client 127.0.0.1:32840] AH01382: Request header read timeout

Interestingly, the browser renders content perfectly despite these errors appearing in logs.

These messages typically occur due to:

  • Browser behavior with keep-alive connections
  • Self-signed certificate validation quirks
  • Apache's SSL module being overly verbose

The key insight: These are not actual failures but rather artifacts of how modern browsers handle SSL connections.

Here's an optimized SSL configuration for development environments:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem
    
    # Reduce log noise
    LogLevel warn
    ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P] %F: %E: %M"
    
    # Adjust timeouts
    TimeOut 300
    KeepAliveTimeout 5
    MaxKeepAliveRequests 100
    
    # Specific SSL optimizations
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
</VirtualHost>

Option 1: Adjust Log Levels
Add this to your virtual host configuration:

LogLevel ssl:warn
LogLevel ssl_engine:error

Option 2: Certificate Trust Chain
Create a proper CA-signed certificate for localhost:

openssl req -x509 -newkey rsa:4096 -sha256 -nodes \
  -keyout localhost.key -out localhost.crt -subj "/CN=localhost" \
  -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"

Modern browsers implement various SSL optimizations that can trigger these messages:

  • Chrome's connection prefetching
  • Firefox's TLS session resumption
  • Edge's fast-fallback mechanisms

These behaviors often cause the SSL handshake to abort prematurely from Apache's perspective.

To confirm everything is working correctly:

openssl s_client -connect localhost:443 -servername localhost -status \
  -CAfile /path/to/your/cert.crt

Look for these indicators in the output:

Verify return code: 0 (ok)
Extended master secret: yes
Session resumption: supported

When working with self-signed SSL certificates in Apache, developers often encounter these specific log entries:

AH01964: Connection to child X established
(70014)End of file found: [client 127.0.0.1:XXXXX] AH01991: SSL input filter read failed
[client 127.0.0.1:XXXXX] AH01382: Request header read timeout

Despite these errors appearing in logs, browsers successfully load all content - HTML, CSS, JavaScript, and other assets. This contradiction between log warnings and functional behavior is particularly confusing.

Three primary factors contribute to these SSL-related log entries:

  1. Connection Handling Differences: Apache manages HTTP and HTTPS connections differently at the MPM (Multi-Processing Module) level
  2. KeepAlive Behavior: SSL connections have different keepalive characteristics than plain HTTP
  3. Self-Signed Certificate Verification: Browsers handle self-signed certs differently than CA-signed certificates

The described setup shows proper SSL configuration elements:

SSLEngine on
SSLCertificateFile /path/to/website/x.com.crt
SSLCertificateKeyFile /path/to/website/x.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

However, we can optimize this further. Here's an improved virtual host configuration:

<VirtualHost *:443>
    ServerName x.com
    DocumentRoot /var/www/html
    
    SSLEngine on
    SSLCertificateFile /path/to/website/x.com.crt
    SSLCertificateKeyFile /path/to/website/x.com.key
    
    # SSL Optimization Parameters
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    
    # Connection handling
    KeepAlive On
    MaxKeepAliveRequests 100
    KeepAliveTimeout 5
    
    # Logging adjustments
    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
    
    # Important for self-signed certs
    SSLStrictSNIVHostCheck off
</VirtualHost>

1. Adjusting KeepAlive Settings

The timeout errors often stem from KeepAlive behavior. Try these settings:

KeepAlive On
KeepAliveTimeout 2
MaxKeepAliveRequests 50

2. Modifying Log Levels

To reduce log noise without losing important information:

LogLevel warn ssl:info

This maintains important SSL warnings while suppressing some informational messages.

3. Browser-Specific Workarounds

Modern browsers may handle self-signed certificates differently. For development purposes, you might want to:

  • Add the certificate to your browser's trusted store
  • Use Chrome with --ignore-certificate-errors flag
  • Configure Firefox to accept your specific self-signed cert

After making changes, verify with:

sudo apachectl configtest
sudo systemctl restart apache2

Then check your logs for improvements:

tail -f /var/log/apache2/ssl_error.log

For development environments, consider these alternatives to self-signed certificates:

# Using mkcert (recommended for local development)
brew install mkcert  # macOS
mkcert -install
mkcert x.com localhost 127.0.0.1 ::1

Or using Let's Encrypt for development:

# Using certbot with DNS challenge for local development
sudo apt install certbot
certbot certonly --manual --preferred-challenges=dns -d x.com