Re: SSL not working for ServerAlias through load balancer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We will check in the morning.

I am not sure about the typo, I cannot access it at the moment.

Thanks again for your efforts.


Sent from my iPad

> On May 12, 2015, at 5:52 PM, Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
> 
> You should then see "activity" with LogLevel debug, where does this leads?
> 
> (Note regarding *:443, you indicated *.443 -with a dot- in the
> original message, was that a typo?)
> 
>> On Tue, May 12, 2015 at 11:32 PM, Rose, John B <jbrose@xxxxxxx> wrote:
>> We checked netstat -an while attempting the https thru the browser. It
>> seems to be getting to the server.
>> 
>> tcp        0      0 xxx.xxx.xxx.xxx:443 yyy.yyy.yyy.yyy:35948     TIME_WAIT
>> tcp        0      0 xxx.xxx.xxx.xxx:443       yyy.yyy.yyy.yyy:36375
>> FIN_WAIT2
>> Etc.
>> 
>> 
>>> On 5/12/15 5:13 PM, "Yann Ylavic" <ylavic.dev@xxxxxxxxx> wrote:
>>> 
>>> Can't it be that the LB does not let the connection pass through?
>>> If the LB is not an SSL end point, it may block based on the Server
>>> Name Indication (SNI)?
>>> On the httpd side, maybe you could look at the network level if the
>>> connection with the client is established (netstat, tcpdump, ...).
>>> 
>>>> On Tue, May 12, 2015 at 11:02 PM, Rose, John B <jbrose@xxxxxxx> wrote:
>>>> It is not generating an entry in the Apache log files. Unless we have
>>>> missed it. But we believe have looked thru them thoroughly.
>>>> 
>>>>> On 5/12/15 4:01 PM, "Yann Ylavic" <ylavic.dev@xxxxxxxxx> wrote:
>>>>> 
>>>>> Can you see the connection arrive, somehow timeout, and finally be
>>>>> logged on the Apache server?
>>>>> 
>>>>>> On Tue, May 12, 2015 at 9:53 PM, Rose, John B <jbrose@xxxxxxx> wrote:
>>>>>> Yann
>>>>>> 
>>>>>> All efforts appreciated.
>>>>>> 
>>>>>> First.abc.com goes thru a load balancer
>>>>>> 
>>>>>> http://first.abc.com
>>>>>> 
>>>>>> Works fine.
>>>>>> 
>>>>>> https://first.abc.com
>>>>>> 
>>>>>> does not
>>>>>> 
>>>>>> If I understand your question correctly.
>>>>>> 
>>>>>> John
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On 5/12/15 3:40 PM, "Yann Ylavic" <ylavic.dev@xxxxxxxxx> wrote:
>>>>>>> 
>>>>>>> Probably a silly question, but, is first.abc.com accessible (dns,
>>>>>>> route, ...) from the client host?
>>>>>>> 
>>>>>>> Regards,
>>>>>>> Yann.
>>>>>>> 
>>>>>>>> On Tue, May 12, 2015 at 9:12 PM, Rose, John B <jbrose@xxxxxxx> wrote:
>>>>>>>> We gave that a try based on your recommendation, but it did not
>>>>>>>> change
>>>>>>>> the
>>>>>>>> result.
>>>>>>>> 
>>>>>>>> We are still looking for an answer.
>>>>>>>> 
>>>>>>>> Thanks
>>>>>>>> 
>>>>>>>>> On 5/12/15 12:03 PM, "Jack Swan" <john.swan@xxxxxxxxxx> wrote:
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Occasionally we've had the spinning connecting problem here during
>>>>>>>>> some
>>>>>>>>> of our development.
>>>>>>>>> You might try clearing/deleting any certificates for that particular
>>>>>>>>> host
>>>>>>>>> in Firefox.
>>>>>>>>> 
>>>>>>>>> Tools->Options - Advanced.  Select View Certificates and
>>>>>>>>> delete/distruct
>>>>>>>>> the certs for that host.
>>>>>>>>> 
>>>>>>>>> Maybe that'll work.  It did for us.
>>>>>>>>> 
>>>>>>>>> ----- Original Message -----
>>>>>>>>> From: jbrose@xxxxxxx
>>>>>>>>> To: users@xxxxxxxxxxxxxxxx
>>>>>>>>> Sent: Tuesday, May 12, 2015 11:47:24 AM GMT -05:00 US/Canada Eastern
>>>>>>>>> Subject: Re:  SSL not working for ServerAlias through
>>>>>>>>> load
>>>>>>>>> balancer
>>>>>>>>> 
>>>>>>>>> In Firefox we get the spinning "ConnectingŠ" indicator in the tab,
>>>>>>>>> and
>>>>>>>>> it
>>>>>>>>> never advances any further.
>>>>>>>>> 
>>>>>>>>>> On 5/12/15 11:27 AM, "Rich Bowen" <rbowen@xxxxxxxxxxx> wrote:
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>> On 05/12/2015 10:40 AM, Rose, John B wrote:
>>>>>>>>>>> Red Hat 7 Apache 2.4
>>>>>>>>>>> 
>>>>>>>>>>> We are using name based virtual hosts SSL configuration.
>>>>>>>>>>> 
>>>>>>>>>>> Which is working except not for one of our ServerAlias that goes
>>>>>>>>>>> thru a
>>>>>>>>>>> load balancer
>>>>>>>>>>> 
>>>>>>>>>>> Not using SSL works fine. We can access all these via the
>>>>>>>>>>> browser Š
>>>>>>>>>>> 
>>>>>>>>>>> http://baseserver.sub.abc.com
>>>>>>>>>>> http://first.sub.abc.com
>>>>>>>>>>> http://first.abc.com
>>>>>>>>>>> 
>>>>>>>>>>> Using SSL we can go to these successfully Š
>>>>>>>>>>> 
>>>>>>>>>>> https://baseserver.sub.abc.com
>>>>>>>>>>> https://First.sub.abc.com
>>>>>>>>>>> 
>>>>>>>>>>> But not this Š
>>>>>>>>>>> 
>>>>>>>>>>> https://first.abc.com
>>>>>>>>>>> 
>>>>>>>>>>> Here is our config Š
>>>>>>>>>>> 
>>>>>>>>>>> Have tried these ..
>>>>>>>>>>> <VirtualHost *.443>
>>>>>>>>>>>       and
>>>>>>>>>>> <VirtualHost first.sub.abc.com:443>
>>>>>>>>>>>       and
>>>>>>>>>>> <VirtualHost first.abc.com:443>
>>>>>>>>>>> 
>>>>>>>>>>>     ServerName baseserver.sub.abc.com
>>>>>>>>>>>     ServerAlias first.sub.abc.com
>>>>>>>>>>>     ServerAlias first.abc.com
>>>>>>>>>>> 
>>>>>>>>>>>     SSLEngine on
>>>>>>>>>>>     DocumentRoot "/www/docs"
>>>>>>>>>>> 
>>>>>>>>>>>   <Directory "/www/docs">
>>>>>>>>>>>     Š
>>>>>>>>>>>   </Directory>
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>   ProxyPassMatch ^/(.*\.php(/.*)?)$
>>>>>>>>>>> fcgi://127.0.0.1:9000/www/docs/
>>>>>>>>>>>   DirectoryIndex index.php index.html
>>>>>>>>>>> 
>>>>>>>>>>> SSL Certificate stuff Š
>>>>>>>>>>> 
>>>>>>>>>>> </VirtualHost>
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Any suggestions why the Load Balanced  SSL ServerAlias.
>>>>>>>>>>> https://first.abc.com,  is not working?
>>>>>>>>>> 
>>>>>>>>>> Can you elaborate on "not working"? What exactly happens?
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> --
>>>>>>>>>> Rich Bowen - rbowen@xxxxxxxxxxx - @rbowen
>>>>>>>>>> http://apachecon.com/ - @apachecon
>>>>>>>>>> 
>>>>>>>>>> -------------------------------------------------------------------
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>>>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>> -
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>> -
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>>>>> 
>>>>>>> 
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>>> 
>>>>> 
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>> 
>>>> 
>>>> 
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux