You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Nick Smith <ni...@computernick.com> on 2004/11/14 01:50:59 UTC
[users@httpd] ssl certs question
im running a server currently hosting 2 domains, and am going to add
alot more soon, i have self signed certs for one domain, and would like
to make some for the others as well, how can i have apache load a cert
for a specific site? so that domain1's cert isnt used with domain2's
site? also when i go to https://www.domain.com my cert works ok but
when i go to https://domain.com it says the name doesnt match and that
its a security risk, what do i have to do to overcome this? you cant
load two certs per site can you? one for domain.com and one for
www.domain.com? or do you have to make a vhost for www.domain.com and
load the cert there? im kinda confused and new to the whole ssl cert
thing, please explain. i am using apache2 on gentoo.
thanks
nick
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Antony Paul <an...@gmail.com>.
You need one IP address for www.domain.com. For each domain you need a
separate IP. I used one IP for www.domainone.com and another for
www.domaintwo.com.
This is my setup for www.domainone.com. Have two virtual host for each
domain -one for port 80 and second one for port 443. Put the
ServerName attribute to www.domainone.com. Set the ServerAlias to
domainone.com.
rgds
Antony Paul
On Mon, 15 Nov 2004 22:06:18 -0500, Nick Smith <ni...@computernick.com> wrote:
> Peter Johnson wrote:
>
>
>
> > SSL sites must be run on different IP addresses. Apache wont know what
> > server it is destined for until *after* the certificate has been
> > accepted and verified by the client browser as such there is now way
> > for Apache to know which certificate to return.
> >
> > PJ
>
> what about setting up fake servers in the hosts file? like 127.0.0.2 and
> 127.0.0.3 and then fake out apache so it thinks they are different
> machines? think its possible? then just define the different vhosts with
> those ip addresses. ?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Peter Johnson <pe...@wizardslair.net>.
Nick,
I doubt that it will work because with defining an IP based virtualhost
you'll also need to define a "Listen" directive for the same address,
this causes Apache to bind to that address and thus I can't see how
you'll get a users request to go to 127.0.02 from the internet.
PJ
Nick Smith wrote:
> Peter Johnson wrote:
>
>> SSL sites must be run on different IP addresses. Apache wont know
>> what server it is destined for until *after* the certificate has been
>> accepted and verified by the client browser as such there is now way
>> for Apache to know which certificate to return.
>>
>> PJ
>
>
> what about setting up fake servers in the hosts file? like 127.0.0.2
> and 127.0.0.3 and then fake out apache so it thinks they are different
> machines? think its possible? then just define the different vhosts
> with those ip addresses. ?
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Nick Smith <ni...@computernick.com>.
Peter Johnson wrote:
> SSL sites must be run on different IP addresses. Apache wont know what
> server it is destined for until *after* the certificate has been
> accepted and verified by the client browser as such there is now way
> for Apache to know which certificate to return.
>
> PJ
what about setting up fake servers in the hosts file? like 127.0.0.2 and
127.0.0.3 and then fake out apache so it thinks they are different
machines? think its possible? then just define the different vhosts with
those ip addresses. ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Peter Johnson <pe...@wizardslair.net>.
SSL sites must be run on different IP addresses. Apache wont know what
server it is destined for until *after* the certificate has been
accepted and verified by the client browser as such there is now way for
Apache to know which certificate to return.
PJ
Nick Smith wrote:
> Ralf Glauberman wrote:
>
>> the ssl-handshake happens, before ANY http-related information is
>> transfered!
>>
> so what is the fix for this?
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Ralf Glauberman <rg...@michaeli-gymnasium.de>.
there is not fix because it's no bug but a feature. the get is encrypted,
including all header, for example passwords. you need to run every domain
over a different ip AND/OR port.
Ralf
----- Original Message -----
From: "Nick Smith" <ni...@computernick.com>
To: <us...@httpd.apache.org>
Sent: Tuesday, November 16, 2004 1:19 AM
Subject: Re: [users@httpd] ssl certs question
> Ralf Glauberman wrote:
>
>> the ssl-handshake happens, before ANY http-related information is
>> transfered!
>>
> so what is the fix for this?
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Nick Smith <ni...@computernick.com>.
Ralf Glauberman wrote:
> the ssl-handshake happens, before ANY http-related information is
> transfered!
>
so what is the fix for this?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Ralf Glauberman <rg...@michaeli-gymnasium.de>.
the ssl-handshake happens, before ANY http-related information is
transfered!
----- Original Message -----
From: "Laura Vance" <va...@winfreeacademy.com>
To: <us...@httpd.apache.org>
Sent: Monday, November 15, 2004 5:11 PM
Subject: Re: [users@httpd] ssl certs question
> After reading the other responses, something comes to mind that might
> work.
>
> Could you add a rewrite rule so that when anyone comes in for "domain.com"
> it changes to "www.domain.com"? I've never added a rewrite rule, so I
> don't know if the rewrites happen before or after the SSL handshake, but
> it's a thought.
>
>
> Nick Smith wrote:
>
>> im running a server currently hosting 2 domains, and am going to add alot
>> more soon, i have self signed certs for one domain, and would like to
>> make some for the others as well, how can i have apache load a cert for a
>> specific site? so that domain1's cert isnt used with domain2's site?
>> also when i go to https://www.domain.com my cert works ok but when i go
>> to https://domain.com it says the name doesnt match and that its a
>> security risk, what do i have to do to overcome this? you cant load two
>> certs per site can you? one for domain.com and one for www.domain.com?
>> or do you have to make a vhost for www.domain.com and load the cert
>> there? im kinda confused and new to the whole ssl cert thing, please
>> explain. i am using apache2 on gentoo.
>>
>> thanks
>>
>> nick
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> --
> Thanks,
> Laura Vance
> Systems Engineer
> Winfree Academy Charter Schools
> 6221 Riverside Dr. Suite 110
> Irving, Tx 75039
> Web: www.winfreeacademy.com
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Laura Vance <va...@winfreeacademy.com>.
After reading the other responses, something comes to mind that might work.
Could you add a rewrite rule so that when anyone comes in for
"domain.com" it changes to "www.domain.com"? I've never added a rewrite
rule, so I don't know if the rewrites happen before or after the SSL
handshake, but it's a thought.
Nick Smith wrote:
> im running a server currently hosting 2 domains, and am going to add
> alot more soon, i have self signed certs for one domain, and would
> like to make some for the others as well, how can i have apache load a
> cert for a specific site? so that domain1's cert isnt used with
> domain2's site? also when i go to https://www.domain.com my cert
> works ok but when i go to https://domain.com it says the name doesnt
> match and that its a security risk, what do i have to do to overcome
> this? you cant load two certs per site can you? one for domain.com and
> one for www.domain.com? or do you have to make a vhost for
> www.domain.com and load the cert there? im kinda confused and new to
> the whole ssl cert thing, please explain. i am using apache2 on gentoo.
>
> thanks
>
> nick
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Thanks,
Laura Vance
Systems Engineer
Winfree Academy Charter Schools
6221 Riverside Dr. Suite 110
Irving, Tx 75039
Web: www.winfreeacademy.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by The Disguised Jedi <di...@gmail.com>.
Well, you'll need seperate certs for both, wildcards make Internet
Explorer get scared (security warnings pop up all over - I speak from
experience!) You could just put a script at the top of each page that
is expected to be used over HTTPS and make it check to be sure you are
at www.domain.com, not domain.com. Virtual hosts would need two IPs,
and two certs, so it can get kinda expensive.
--
The Disguised Jedi
disguised.jedi@gmail.com
PHP rocks!
On Sun, 14 Nov 2004 14:06:36 +0100, Ralf Glauberman
<rg...@michaeli-gymnasium.de> wrote:
> no, i cant agree. as the certs are exchanged before the http-header
> including the host-header are exchanged, there is no way to get multiple
> https-sites working with name-based virtual hosts. in order to get this to
> work, you would need one ipaddress per domain. however, wildcards might
> work, dont know.
> Ralf
>
>
>
> ----- Original Message -----
> From: "Nick Smith" <ni...@computernick.com>
> To: <us...@httpd.apache.org>
> Sent: Sunday, November 14, 2004 6:25 AM
> Subject: Re: [users@httpd] ssl certs question
>
> > The Disguised Jedi wrote:
> >
> >>Making a VirtualHost for the www.domain.com and a seperate one for
> >>domain.com and putting the SSLCertificateFile directive inside the
> >>VHost tag should make that work. Let me know!
> >>
> >>
> > is that how its suppose to be done? i mean when someone buys a legit cert
> > from say verisign, do they get two certs? one for domain.com and one for
> > www.domain.com? i guess there is no way to create a cert with both those
> > names in them, or create one with wildcards so that anything *.domain.com
> > is accepted as valid? seems kinda strange to have to do it that way, if
> > you host alot of domains that can get kinda huge.
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Ralf Glauberman <rg...@michaeli-gymnasium.de>.
no, i cant agree. as the certs are exchanged before the http-header
including the host-header are exchanged, there is no way to get multiple
https-sites working with name-based virtual hosts. in order to get this to
work, you would need one ipaddress per domain. however, wildcards might
work, dont know.
Ralf
----- Original Message -----
From: "Nick Smith" <ni...@computernick.com>
To: <us...@httpd.apache.org>
Sent: Sunday, November 14, 2004 6:25 AM
Subject: Re: [users@httpd] ssl certs question
> The Disguised Jedi wrote:
>
>>Making a VirtualHost for the www.domain.com and a seperate one for
>>domain.com and putting the SSLCertificateFile directive inside the
>>VHost tag should make that work. Let me know!
>>
>>
> is that how its suppose to be done? i mean when someone buys a legit cert
> from say verisign, do they get two certs? one for domain.com and one for
> www.domain.com? i guess there is no way to create a cert with both those
> names in them, or create one with wildcards so that anything *.domain.com
> is accepted as valid? seems kinda strange to have to do it that way, if
> you host alot of domains that can get kinda huge.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by Nick Smith <ni...@computernick.com>.
The Disguised Jedi wrote:
>Making a VirtualHost for the www.domain.com and a seperate one for
>domain.com and putting the SSLCertificateFile directive inside the
>VHost tag should make that work. Let me know!
>
>
>
is that how its suppose to be done? i mean when someone buys a legit
cert from say verisign, do they get two certs? one for domain.com and
one for www.domain.com? i guess there is no way to create a cert with
both those names in them, or create one with wildcards so that anything
*.domain.com is accepted as valid? seems kinda strange to have to do it
that way, if you host alot of domains that can get kinda huge.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl certs question
Posted by The Disguised Jedi <di...@gmail.com>.
Making a VirtualHost for the www.domain.com and a seperate one for
domain.com and putting the SSLCertificateFile directive inside the
VHost tag should make that work. Let me know!
--
The Disguised Jedi
disguised.jedi@gmail.com
PHP rocks!
On Sat, 13 Nov 2004 19:50:59 -0500, Nick Smith <ni...@computernick.com> wrote:
> im running a server currently hosting 2 domains, and am going to add
> alot more soon, i have self signed certs for one domain, and would like
> to make some for the others as well, how can i have apache load a cert
> for a specific site? so that domain1's cert isnt used with domain2's
> site? also when i go to https://www.domain.com my cert works ok but
> when i go to https://domain.com it says the name doesnt match and that
> its a security risk, what do i have to do to overcome this? you cant
> load two certs per site can you? one for domain.com and one for
> www.domain.com? or do you have to make a vhost for www.domain.com and
> load the cert there? im kinda confused and new to the whole ssl cert
> thing, please explain. i am using apache2 on gentoo.
>
> thanks
>
> nick
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org