Apache proxying for backends with self-signed, invalid or expired certificates

When proxying for an HTTPS backend, Apache will attempt to verify the validity of the certificate provided by that backend. In cases where the backend is using a self-signed, invalid or expired certificate, this will fail with an internal server error (HTTP status code 500) and messages such as these in the servers error log:

[proxy:error] [pid 15150] (502)Unknown error 502: [client 8.8.8.8:43894] AH01084: pass request body failed to 8.8.4.4:443 (8.8.4.4)
[proxy:error] [pid 15150] [client 8.8.8.8:43894] AH00898: Error during SSL Handshake with remote server returned by /path/to/file.html
[proxy_http:error] [pid 15150] [client 8.8.8.8:43894] AH01097: pass request body failed to 8.8.4.4:443 (8.8.4.4) from 8.8.8.8 ()

Now, self-signed, invalid or expired certificates are normally not a particularly good idea, but as long as you are familiar with the pitfalls, there’s nothing inherently wrong with using them. To force Apache to allow it, all you need to do is include the following directives in the affected context (server/virtual host/proxy section):

SSLProxyCheckPeerCN off

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeercn

SSLProxyCheckPeerName off

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername

SSLProxyCheckPeerExpire off

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeerexpire