You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ol...@unilog.de on 2006/01/23 21:50:41 UTC
[users@httpd] Re:[users@httpd] Apache 2 and SSL on server with multiple IPs, SSL won't load...
In this line you sould put the certificate of your rootCA which has signed your certificate.
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/<root-ca>.crt
"VerifyDepth 5" seems to be to high because than you need certificates in chain up to 5
like (e.g.cert1 + cert2 +cert3 +cert4 +rootCA) but you only have 2 (with the root certificate) oder 1 (without root cert)
With a certificate where the common name is not the same like the server name (in this case here of the virtual host) than you won't get any https connection, they have to be the same.
Here are some examples http://www.openssl.org/docs/apps/x509.html
and here is one to show into a certificate: openssl x509 -in cert.pem -noout -text
Greets
Oliver
-----Ursprüngliche Nachricht-----
Von: Brian V. Hughes [mailto:brianvh@alum.dartmouth.org]
Gesendet: Mo 23.01.2006 17:31
An: users@httpd.apache.org
Betreff: [users@httpd] Apache 2 and SSL on server with multiple IPs, SSL won't load...
Hey gang. I've got a problem that's been giving me fits for the past several
days and I just can't figure out what's wrong. Here's the situation:
I've got an Apple Xserve, with a standard install of Apache 2.0.55 with mod_ssl.
The server has 2 IP addresses assigned to it, lets call them foo.dartmouth.edu
and bar.dartmouth.edu. I've also got 2 instances of Apache configured to run,
since I believe I need to do IP-based virtual hosting to accomplish what I need:
foo is an HTTP server and bar needs to be an HTTP/HTTPS server.
We have a key file and a Dartmouth-signed certificate built for
bar.dartmouth.edu and I'm using an ssl.conf file that looks like this:
----------------
#SSL.CONF for bar.dartmouth.edu
Listen 129.170.xxx.yyy:443
SSLEngine on
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/bar.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/bar.key
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt
SSLVerifyClient optional
SSLVerifyDepth 5
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout 300
AcceptMutex flock
LockFile /usr/local/apache2/logs/httpd.lock
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost 129.170.xxx.yyy:443>
DocumentRoot "/Library/WebServer/Documents"
ServerName bar.dartmouth.edu
ServerAdmin webmaster@dartmouth.edu
ErrorLog /usr/local/apache2/logs/error_log
TransferLog /usr/local/apache2/logs/access_log
CustomLog /usr/local/apache2/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
----------------
When I try to launch Apache with this config file, I get this in my logs/error_log:
[Fri Jan 20 13:09:36 2006] [warn] RSA server certificate CommonName (CN)
`bar.dartmouth.edu' does NOT match server name!?
[Fri Jan 20 13:09:36 2006] [error] Illegal attempt to re-initialise SSL for
server (theoretically shouldn't happen!)
I think these errors are trying to point me in the right direction, but I just
don't know enough about mod_ssl to know what direction that is. Given that the
HTTP responder on port 80 works just fine for bar.dartmouth.edu, I can't see how
there could be confusion over the CommonName.
Can someone help me decipher this and figure out why I can't get my SSL instance
running? Is there something I'm just not setting in my ssl.conf file? Is there
more info that I need to post? Things are getting a little desperate for us with
this server, so any help I can get would be most appreciated. Thanks.
-Brian
----
Brian V. Hughes
Associate Director for Web Operations (aka. Webmaster)
Computing Technical Services
Dartmouth College
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org