You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Brian V. Hughes" <br...@alum.dartmouth.org> on 2006/01/23 17:31:55 UTC
[users@httpd] Apache 2 and SSL on server with multiple IPs, SSL won't load...
Hey gang. I've got a problem that's been giving me fits for the past several
days and I just can't figure out what's wrong. Here's the situation:
I've got an Apple Xserve, with a standard install of Apache 2.0.55 with mod_ssl.
The server has 2 IP addresses assigned to it, lets call them foo.dartmouth.edu
and bar.dartmouth.edu. I've also got 2 instances of Apache configured to run,
since I believe I need to do IP-based virtual hosting to accomplish what I need:
foo is an HTTP server and bar needs to be an HTTP/HTTPS server.
We have a key file and a Dartmouth-signed certificate built for
bar.dartmouth.edu and I'm using an ssl.conf file that looks like this:
----------------
#SSL.CONF for bar.dartmouth.edu
Listen 129.170.xxx.yyy:443
SSLEngine on
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/bar.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/bar.key
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt
SSLVerifyClient optional
SSLVerifyDepth 5
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout 300
AcceptMutex flock
LockFile /usr/local/apache2/logs/httpd.lock
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost 129.170.xxx.yyy:443>
DocumentRoot "/Library/WebServer/Documents"
ServerName bar.dartmouth.edu
ServerAdmin webmaster@dartmouth.edu
ErrorLog /usr/local/apache2/logs/error_log
TransferLog /usr/local/apache2/logs/access_log
CustomLog /usr/local/apache2/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
----------------
When I try to launch Apache with this config file, I get this in my logs/error_log:
[Fri Jan 20 13:09:36 2006] [warn] RSA server certificate CommonName (CN)
`bar.dartmouth.edu' does NOT match server name!?
[Fri Jan 20 13:09:36 2006] [error] Illegal attempt to re-initialise SSL for
server (theoretically shouldn't happen!)
I think these errors are trying to point me in the right direction, but I just
don't know enough about mod_ssl to know what direction that is. Given that the
HTTP responder on port 80 works just fine for bar.dartmouth.edu, I can't see how
there could be confusion over the CommonName.
Can someone help me decipher this and figure out why I can't get my SSL instance
running? Is there something I'm just not setting in my ssl.conf file? Is there
more info that I need to post? Things are getting a little desperate for us with
this server, so any help I can get would be most appreciated. Thanks.
-Brian
----
Brian V. Hughes
Associate Director for Web Operations (aka. Webmaster)
Computing Technical Services
Dartmouth College
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache 2 and SSL on server with multiple IPs, SSL won't load...
Posted by Joost de Heer <sa...@xs4all.nl>.
> Listen 129.170.xxx.yyy:443
> SSLEngine on
Use SSLEngine in the SSL vhost, not in the general configuration part.
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org