You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "bfree@free-man.net" <bf...@free-man.net> on 2011/01/28 02:51:35 UTC
[users@httpd] mod_ssl and virtual host
Apache version 2.2.3
CentOS Linux 5.5
/etc/httpd/conf.d/ssl.config
changes
#<VirtualHost _default_:443>
<VirtualHost free-man.net:443>
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/free-man-net.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/free-mman-net.key
this works I get no errors on my https free-man.net.
/etc/httpd/conf/conf.config
<VirtualHost www.specialtymarket.com:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile
/etc/pki_free-man_net/myCA/certs/specialtymarketCA.crt
SSLCertificateKeyFile
/etc/pki_free-man_net/myCA/private/specialtymarketCA.key
when I restart httpd I get
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server specialtymarket.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
when I do a https for specialtymarket.com in a browser I get
www.specialtymarket.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is only valid for free-man.net
what am I doing wrong?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_ssl and virtual host
Posted by "bfree@free-man.net" <bf...@free-man.net>.
got most everything working.
if have three ips
NameVirtualHost xx.xx.xx.32:80
NameVirtualHost xx.xx.xx.32:443
NameVirtualHost xx.xx.xx.34:80
NameVirtualHost xx.xx.xx.34:443
I have a domain that had ssl in the original
NameVirtualHost(xx.xx.xx.32) it works great this operates off the
default ssl defined in the ssl.conf.
I have a domain that is not in NameVirtualHost ( xx.xx.xx.32 or
xx.xx.xx.34) but is a virtual host.
it is on its own IP the http works fine but the https gives a Unable to
connect. the ssl is defined in the vitualhost
SSLCertificateFile /etc/pki.....
SSLCertificateKeyFile /etc/pki....
I have a domain that had ssl in the new NameVirtualHost(xx.xx.xx.34) on
a seperate IP from the original NameVirtualHost http it works great but
the https also gives Unable to connect. the ssl is defined in the vitualhost
SSLCertificateFile /etc/pki.....
SSLCertificateKeyFile /etc/pki....
since the http works in all cases this mean the IP are being recognized
since the ssl in the original NameVirtualHost works my configuration of
the virtual hosts works.
I get no log for the ones that gives a Unable to connect.
any ideas where to look?
=========================
BJ Freeman
Strategic Power Office with Supplier Automation <http://www.businessesnetwork.com/automation/viewforum.php?f=52>
Specialtymarket.com <http://www.specialtymarket.com/>
Systems Integrator-- Glad to Assist
Chat Y! messenger: bjfr33man
bfree@free-man.net sent the following on 1/28/2011 10:36 AM:
> thanks will see what I can do to make something work.
>
> =========================
> BJ Freeman
> Strategic Power Office with Supplier Automation
> <http://www.businessesnetwork.com/automation/viewforum.php?f=52>
> Specialtymarket.com <http://www.specialtymarket.com/>
> Systems Integrator-- Glad to Assist
>
> Chat Y! messenger: bjfr33man
>
> Igor Galić sent the following on 1/28/2011 9:34 AM:
>
>
>>
>> ----- "Martin Kuba"<ma...@ics.muni.cz> wrote:
>>
>>> Dne 28.1.2011 02:51, bfree@free-man.net napsal(a):
>>>> The certificate is not trusted because it is self-signed.
>>>> The certificate is only valid for free-man.net
>>>>
>>>> what am I doing wrong?
>>>
>>> You can not use name-based virtual hosts for SSL if your Apache is
>>> older than 2.2.12
>>> or your OpenSSL does not support SNI or the client is MSIE on Windows
>>> XP.
>>>
>>> In other words, you need a separate IP address for each SSL
>>> certificate,
>>> because the SSL connection is established before the HTTP connection
>>> takes place
>>> and the server does not know which certificate to choose.
>>>
>>> See
>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts
>>> http://en.wikipedia.org/wiki/Server_Name_Indication
>>
>> Also see:
>> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>>
>>> Use IP-based virtual hosts instead.
>>>
>>> Cheers
>>>
>>> Martin
>>> --
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> Supercomputing Center Brno Martin Kuba
>>> Institute of Computer Science email: makub@ics.muni.cz
>>> Masaryk University http://www.ics.muni.cz/~makub/
>>> Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
>>> --------------------------------------------------------------
>>
>> i
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_ssl and virtual host
Posted by "bfree@free-man.net" <bf...@free-man.net>.
thanks will see what I can do to make something work.
=========================
BJ Freeman
Strategic Power Office with Supplier Automation <http://www.businessesnetwork.com/automation/viewforum.php?f=52>
Specialtymarket.com <http://www.specialtymarket.com/>
Systems Integrator-- Glad to Assist
Chat Y! messenger: bjfr33man
Igor Galić sent the following on 1/28/2011 9:34 AM:
>
> ----- "Martin Kuba"<ma...@ics.muni.cz> wrote:
>
>> Dne 28.1.2011 02:51, bfree@free-man.net napsal(a):
>>> The certificate is not trusted because it is self-signed.
>>> The certificate is only valid for free-man.net
>>>
>>> what am I doing wrong?
>>
>> You can not use name-based virtual hosts for SSL if your Apache is
>> older than 2.2.12
>> or your OpenSSL does not support SNI or the client is MSIE on Windows
>> XP.
>>
>> In other words, you need a separate IP address for each SSL
>> certificate,
>> because the SSL connection is established before the HTTP connection
>> takes place
>> and the server does not know which certificate to choose.
>>
>> See
>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts
>> http://en.wikipedia.org/wiki/Server_Name_Indication
>
> Also see:
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>
>> Use IP-based virtual hosts instead.
>>
>> Cheers
>>
>> Martin
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Supercomputing Center Brno Martin Kuba
>> Institute of Computer Science email: makub@ics.muni.cz
>> Masaryk University http://www.ics.muni.cz/~makub/
>> Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
>> --------------------------------------------------------------
>
> i
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_ssl and virtual host
Posted by Igor Galić <i....@brainsware.org>.
----- "Martin Kuba" <ma...@ics.muni.cz> wrote:
> Dne 28.1.2011 02:51, bfree@free-man.net napsal(a):
> > The certificate is not trusted because it is self-signed.
> > The certificate is only valid for free-man.net
> >
> > what am I doing wrong?
>
> You can not use name-based virtual hosts for SSL if your Apache is
> older than 2.2.12
> or your OpenSSL does not support SNI or the client is MSIE on Windows
> XP.
>
> In other words, you need a separate IP address for each SSL
> certificate,
> because the SSL connection is established before the HTTP connection
> takes place
> and the server does not know which certificate to choose.
>
> See
> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts
> http://en.wikipedia.org/wiki/Server_Name_Indication
Also see:
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
> Use IP-based virtual hosts instead.
>
> Cheers
>
> Martin
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Supercomputing Center Brno Martin Kuba
> Institute of Computer Science email: makub@ics.muni.cz
> Masaryk University http://www.ics.muni.cz/~makub/
> Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
> --------------------------------------------------------------
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_ssl and virtual host
Posted by Martin Kuba <ma...@ics.muni.cz>.
Dne 28.1.2011 02:51, bfree@free-man.net napsal(a):
> The certificate is not trusted because it is self-signed.
> The certificate is only valid for free-man.net
>
> what am I doing wrong?
You can not use name-based virtual hosts for SSL if your Apache is older than 2.2.12
or your OpenSSL does not support SNI or the client is MSIE on Windows XP.
In other words, you need a separate IP address for each SSL certificate,
because the SSL connection is established before the HTTP connection takes place
and the server does not know which certificate to choose.
See
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts
http://en.wikipedia.org/wiki/Server_Name_Indication
Use IP-based virtual hosts instead.
Cheers
Martin
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno Martin Kuba
Institute of Computer Science email: makub@ics.muni.cz
Masaryk University http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775
--------------------------------------------------------------