[users@httpd] Re:[users@httpd] Apache 2 and SSL on server with multiple IPs, SSL won't load...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In this line you sould put the certificate of your rootCA which has signed your certificate.
  SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/<root-ca>.crt
"VerifyDepth 5" seems to be to high because than you need certificates in chain up to 5
like (e.g.cert1 + cert2 +cert3 +cert4 +rootCA) but you only have 2 (with the root certificate) oder 1 (without root cert)

With a certificate where the common name is not the same like the server name (in this case here of the virtual host) than you won't get any https connection, they have to be the same.

Here are some examples http://www.openssl.org/docs/apps/x509.html
and here is one to show into a certificate:  openssl x509 -in cert.pem -noout -text

Greets
Oliver

-----Ursprüngliche Nachricht-----
Von: Brian V. Hughes [mailto:brianvh@xxxxxxxxxxxxxxxxxx]
Gesendet: Mo 23.01.2006 17:31
An: users@xxxxxxxxxxxxxxxx
Betreff: [users@httpd] Apache 2 and SSL on server with multiple IPs, SSL won't load...
 

Hey gang. I've got a problem that's been giving me fits for the past several 
days and I just can't figure out what's wrong. Here's the situation:

I've got an Apple Xserve, with a standard install of Apache 2.0.55 with mod_ssl. 
The server has 2 IP addresses assigned to it, lets call them foo.dartmouth.edu 
and bar.dartmouth.edu. I've also got 2 instances of Apache configured to run, 
since I believe I need to do IP-based virtual hosting to accomplish what I need: 
foo is an HTTP server and bar needs to be an HTTP/HTTPS server.

We have a key file and a Dartmouth-signed certificate built for 
bar.dartmouth.edu and I'm using an ssl.conf file that looks like this:

----------------
#SSL.CONF for bar.dartmouth.edu

Listen 129.170.xxx.yyy:443
SSLEngine on

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/bar.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/bar.key
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt
SSLVerifyClient optional
SSLVerifyDepth  5

SSLPassPhraseDialog  builtin
SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout 300

AcceptMutex flock
LockFile /usr/local/apache2/logs/httpd.lock
SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost 129.170.xxx.yyy:443>
     DocumentRoot "/Library/WebServer/Documents"
     ServerName bar.dartmouth.edu
     ServerAdmin webmaster@xxxxxxxxxxxxx

     ErrorLog /usr/local/apache2/logs/error_log
     TransferLog /usr/local/apache2/logs/access_log
     CustomLog /usr/local/apache2/logs/ssl_request_log \
               "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
----------------


When I try to launch Apache with this config file, I get this in my logs/error_log:

[Fri Jan 20 13:09:36 2006] [warn] RSA server certificate CommonName (CN) 
`bar.dartmouth.edu' does NOT match server name!?
[Fri Jan 20 13:09:36 2006] [error] Illegal attempt to re-initialise SSL for 
server (theoretically shouldn't happen!)

I think these errors are trying to point me in the right direction, but I just 
don't know enough about mod_ssl to know what direction that is. Given that the 
HTTP responder on port 80 works just fine for bar.dartmouth.edu, I can't see how 
there could be confusion over the CommonName.

Can someone help me decipher this and figure out why I can't get my SSL instance 
running? Is there something I'm just not setting in my ssl.conf file? Is there 
more info that I need to post? Things are getting a little desperate for us with 
this server, so any help I can get would be most appreciated. Thanks.

-Brian
----
Brian V. Hughes
Associate Director for Web Operations (aka. Webmaster)
Computing Technical Services
Dartmouth College

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


<<winmail.dat>>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux