You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by suomi <ap...@ayni.com> on 2003/10/08 16:14:12 UTC

[users@httpd] Apache just knows about one single certificate.

Hi every
cellino@violina:~> /usr/local/apache2/bin/httpd -v
Server version: Apache/2.0.47
Server built:   Sep  1 2003 14:52:47
cellino@violina:~>

cellino@violina:~> uname -a
Linux violina 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown
cellino@violina:~>

i have about 40 named-virtual-hosts, about 10 of which are using SSL.  
SSL is just used to protect the transfer, not for authentication. so i 
use self-signed certificates created with
cellino@violina:~> openssl
OpenSSL> version
OpenSSL 0.9.6g [engine] 9 Aug 2002
OpenSSL>

The apache-configuration is in one directory containing http.conf, 
ssl.conf, and one file per virttual host.

webadmin 14574  0.0  1.1 39736 11396 ?       S    Oct07   0:00 
/usr/local/apache2/bin/httpd -f /usr/local/apache2/conf/virtual.servers/
webadmin 14575  0.0  1.1 39736 11396 ?       S    Oct07   0:00 
/usr/local/apache2/bin/httpd -f /usr/local/apache2/conf/virtual.servers/
...

in order to avoid that cumbersome question "...you are accessing the url 
aa.bb.cc but the certificate presented by the web-server is for the url 
dd.ee.ff. "...  i finally created certificates for each virtual host 
using SSL.

configured e.g. for one SSL virtual-host as:

SSLEngine on
SSLCertificateFile    /etc/ssl/certs/phpino.cert.pem
SSLCertificateKeyFile /etc/ssl/certs/phpino.cert.key
SSLVerifyClient none

and for a second SSL virtual-host as:

SSLEngine on
SSLCertificateFile    /etc/ssl/certs/ldap.cert.pem
SSLCertificateKeyFile /etc/ssl/certs/ldap.cert.key
SSLVerifyClient none

and so on.

To my great anger, apache just presents one single certificate out of 
the list to all virtual-hosts.

The docu tells me, that per virtual-server, you can even have two (2) 
certificates (rsa and dsa), not only one.

I checked whether the certificates are really different from one another 
and found out that they really differ in the subject line:

Subject: C=CH, ST=Zurich, L=Zurich, O=Ayni AG, OU=phpino, 
CN=phpino.ayni.com/Email=info@ayni.com

I also checked, whether all files specified in the config exist: they 
all do.

I also checked the error log file of all virtual servers whether they 
contain the well known warnings:

[Sun Mar 02 13:01:45 2003] [warn] RSA server certificate is a CA 
certificate (BasicConstraints: CA == TRUE !?)
[Sun Mar 02 13:01:45 2003] [warn] RSA server certificate CommonName (CN) 
`rosetta.ayni.com' does NOT match server name!?

No, not any more, i.e. all virtual servers are happy with their certificate.

But still, there is only one single certificate presented on all 
SSL-virtual servers.

Has anyone experienced such an angry situation? what am i doing wrong? 
what am i missing? where can i find more info? Do i need to include the 
CA certificate?

Any hint is appreciated, thanks in advance.

suomi




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache just knows about one single certificate.

Posted by Jacob Coby <jc...@listingbook.com>.

You can only have one SSL certificate per IP address.  It's in the FAQ.

-Jacob


----- Original Message ----- 
From: "suomi" <ap...@ayni.com>
To: <us...@httpd.apache.org>
Sent: Wednesday, October 08, 2003 10:14 AM
Subject: [users@httpd] Apache just knows about one single certificate.


> Hi every
> cellino@violina:~> /usr/local/apache2/bin/httpd -v
> Server version: Apache/2.0.47
> Server built:   Sep  1 2003 14:52:47
> cellino@violina:~>
>
> cellino@violina:~> uname -a
> Linux violina 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown
> cellino@violina:~>
>
> i have about 40 named-virtual-hosts, about 10 of which are using SSL.
> SSL is just used to protect the transfer, not for authentication. so i
> use self-signed certificates created with
> cellino@violina:~> openssl
> OpenSSL> version
> OpenSSL 0.9.6g [engine] 9 Aug 2002
> OpenSSL>
>
> The apache-configuration is in one directory containing http.conf,
> ssl.conf, and one file per virttual host.
>
> webadmin 14574  0.0  1.1 39736 11396 ?       S    Oct07   0:00
> /usr/local/apache2/bin/httpd -f /usr/local/apache2/conf/virtual.servers/
> webadmin 14575  0.0  1.1 39736 11396 ?       S    Oct07   0:00
> /usr/local/apache2/bin/httpd -f /usr/local/apache2/conf/virtual.servers/
> ...
>
> in order to avoid that cumbersome question "...you are accessing the url
> aa.bb.cc but the certificate presented by the web-server is for the url
> dd.ee.ff. "...  i finally created certificates for each virtual host
> using SSL.
>
> configured e.g. for one SSL virtual-host as:
>
> SSLEngine on
> SSLCertificateFile    /etc/ssl/certs/phpino.cert.pem
> SSLCertificateKeyFile /etc/ssl/certs/phpino.cert.key
> SSLVerifyClient none
>
> and for a second SSL virtual-host as:
>
> SSLEngine on
> SSLCertificateFile    /etc/ssl/certs/ldap.cert.pem
> SSLCertificateKeyFile /etc/ssl/certs/ldap.cert.key
> SSLVerifyClient none
>
> and so on.
>
> To my great anger, apache just presents one single certificate out of
> the list to all virtual-hosts.
>
> The docu tells me, that per virtual-server, you can even have two (2)
> certificates (rsa and dsa), not only one.
>
> I checked whether the certificates are really different from one another
> and found out that they really differ in the subject line:
>
> Subject: C=CH, ST=Zurich, L=Zurich, O=Ayni AG, OU=phpino,
> CN=phpino.ayni.com/Email=info@ayni.com
>
> I also checked, whether all files specified in the config exist: they
> all do.
>
> I also checked the error log file of all virtual servers whether they
> contain the well known warnings:
>
> [Sun Mar 02 13:01:45 2003] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Sun Mar 02 13:01:45 2003] [warn] RSA server certificate CommonName (CN)
> `rosetta.ayni.com' does NOT match server name!?
>
> No, not any more, i.e. all virtual servers are happy with their
certificate.
>
> But still, there is only one single certificate presented on all
> SSL-virtual servers.
>
> Has anyone experienced such an angry situation? what am i doing wrong?
> what am i missing? where can i find more info? Do i need to include the
> CA certificate?
>
> Any hint is appreciated, thanks in advance.
>
> suomi
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org