Community
Select to view content in your preferred language

The proxy server could not handle the request. Reason: AH00898 Error during SSL Handshake with remote server

150
1
20 hours ago
CoronaGis
by
Emerging Contributor
20 hours ago
We are currently experiencing intermittent HTTP 500 errors in our ArcGIS Enterprise deployment and we would like to ask for your support to better understand the root cause.

 

Our architecture is the following:
- An Apache load balancer distributes traffic across two servers: server10 and server11
- Each server hosts a full ArcGIS Enterprise stack on Linux: Web Adaptor (Tomcat), Portal for ArcGIS, ArcGIS Server and DataStore.

- The features are published ad hosted feature services in the DataStores.

When accessing the application via DNS name:
https://mydns.domain.com/portal/apps/webappviewer/index.html?id=xyzx

the system correctly routes the request to one of the two nodes and the web map is successfully displayed. The map is public.

However, when the number of requests increases (for example by refreshing the page multiple times in a brief time), we intermittently receive HTTP 500 errors such as:
  • Server error!
    The server encountered an internal error and was unable to complete your request.
    Error message:
    The proxy server could not handle the request
    Reason: AH00898 Error during SSL Handshake with remote server
    If you think this is a server error, please contact the webmaster.
    Error 500
    mydns.domain.com
    Apache
  • Unable to load https://mydns.domain.com/portal/apps/webappviewer/index.html?id=xyzx status: 500

    When the errors begin to show we tried to connect to the rest services with the DNS and we get the same error (es. using https://mydns.domain.com/server/rest/services/Hosted/Capacity/FeatureServer), but if we connect directly to the machines rest services we didn't get the error (es. using https:// server10.domain.com:6443/server/rest/services/Hosted/Capacity/FeatureServer  or https:// server11.domain.com:6443/server/rest/services/Hosted/Capacity/FeatureServer ). 

    We think the error is generated by Apache.
    From our analysis:
    - ArcGIS Server and Portal logs on both nodes do not show any error if we use the direct connection to the data
    - Both servers have sufficient resources (CPU and memory are not saturated)
    - By bypassing the DNS and Apache load balancer and directly calling each node (port 6443), all requests succeed and HTTP 500 errors are not observed (only occasional timeouts)
    - Increasing the Apache proxy timeout reduces the frequency of errors
    - We observed inconsistent behavior at UI level: sometimes the map loads correctly, sometimes a 500 error occurs, and sometimes a login prompt appears even though the application is public

    Regarding certificates:
    - Initially, the self-signed certificates contained an incorrect DNS (old hostname)
    - We generated new self-signed certificates with correct SAN entries and installed them on:
      - ArcGIS Server
      - Portal for ArcGIS
      - Tomcat (Web Adaptor)

    At this point we noticed that ESRI documentation usually recommends using CA-signed certificates, but during the original installation performed with ESRI support, a self-signed certificate was configured.

     

    We are now trying to understand whether the use of a self-signed certificate could be the root cause of the intermittent SSL handshake issues.

     

    From our tests (using openssl), we still see:
    Verify return code: 18 (self-signed certificate)

     

    This suggests that the certificate is not fully trusted at the OS level.

     

    Our questions are:
    1. Can the use of self-signed certificates in this architecture (Apache + Web Adaptor + ArcGIS Server HA) lead to intermittent SSL handshake failures and HTTP 500 errors?
    2. Is it mandatory/recommended in this scenario to use CA-signed certificates for all components (Apache, Portal, Server, Web Adaptor)?
    3. Could there be any other ArcGIS-specific configuration (Web Adaptor / Portal / Server / load balancing) that may cause this behavior?
    4. Are there known issues or best practices for SSL configuration in HA deployments behind Apache reverse proxy that we should consider?


    We have requested to put the self-signed certificate in the trusted folder of Linux but in the meantime we would appreciate your guidance to understand whether the issue is entirely certificate-related or if further investigation is needed on the ArcGIS side.

     

    Thank you very much for your support.
0 Kudos
1 Reply
GlenterpriseUK
by Esri Contributor
Esri Contributor
18 hours ago

Hi @CoronaGis,

I hope you are well. Thanks for posting this.

Looking at your detailed post, it does not seem like an issue related to ArcGIS Enterprise. It might be more aligned with your investigation that the issue is on Apache Proxy. I did search a bit and was able to find the following:

apache 2.2 - proxy:error AH00898: Error during SSL Handshake with remote server - Server Fault

Apache reverse proxy AH00898 - Error during SSL Handshake with remote server

I would recommend you to read through those blogs and if you are still unable to resolve it, the next step would be to log a support case with Esri Support. As part of troubleshooting, we might need sensitive information like logs and that should be shared via the appropriate channel/way.

Regards,

Glen