[users@httpd] Apache 2 and SSL on server with multiple IPs, SSL won't load...

["Brian V. Hughes" <br...@alum.dartmouth.org>]

Hey gang. I've got a problem that's been giving me fits for the past several 
days and I just can't figure out what's wrong. Here's the situation:

I've got an Apple Xserve, with a standard install of Apache 2.0.55 with mod_ssl. 
The server has 2 IP addresses assigned to it, lets call them foo.dartmouth.edu 
and bar.dartmouth.edu. I've also got 2 instances of Apache configured to run, 
since I believe I need to do IP-based virtual hosting to accomplish what I need: 
foo is an HTTP server and bar needs to be an HTTP/HTTPS server.

We have a key file and a Dartmouth-signed certificate built for 
bar.dartmouth.edu and I'm using an ssl.conf file that looks like this:

----------------
#SSL.CONF for bar.dartmouth.edu

Listen 129.170.xxx.yyy:443
SSLEngine on

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/bar.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/bar.key
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt
SSLVerifyClient optional
SSLVerifyDepth  5

SSLPassPhraseDialog  builtin
SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout 300

AcceptMutex flock
LockFile /usr/local/apache2/logs/httpd.lock
SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost 129.170.xxx.yyy:443>
     DocumentRoot "/Library/WebServer/Documents"
     ServerName bar.dartmouth.edu
     ServerAdmin webmaster@dartmouth.edu

     ErrorLog /usr/local/apache2/logs/error_log
     TransferLog /usr/local/apache2/logs/access_log
     CustomLog /usr/local/apache2/logs/ssl_request_log \
               "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
----------------


When I try to launch Apache with this config file, I get this in my logs/error_log:

[Fri Jan 20 13:09:36 2006] [warn] RSA server certificate CommonName (CN) 
`bar.dartmouth.edu' does NOT match server name!?
[Fri Jan 20 13:09:36 2006] [error] Illegal attempt to re-initialise SSL for 
server (theoretically shouldn't happen!)

I think these errors are trying to point me in the right direction, but I just 
don't know enough about mod_ssl to know what direction that is. Given that the 
HTTP responder on port 80 works just fine for bar.dartmouth.edu, I can't see how 
there could be confusion over the CommonName.

Can someone help me decipher this and figure out why I can't get my SSL instance 
running? Is there something I'm just not setting in my ssl.conf file? Is there 
more info that I need to post? Things are getting a little desperate for us with 
this server, so any help I can get would be most appreciated. Thanks.

-Brian
----
Brian V. Hughes
Associate Director for Web Operations (aka. Webmaster)
Computing Technical Services
Dartmouth College

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Apache 2 and SSL on server with multiple IPs, SSL won't load...

[Joost de Heer <sa...@xs4all.nl>]

> Listen 129.170.xxx.yyy:443
> SSLEngine on

Use SSLEngine in the SSL vhost, not in the general configuration part.

Joost


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org