You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Mark Drummond <md...@gmail.com> on 2007/05/10 02:42:30 UTC

[users@httpd] Multiple certs & virtual hosts

Hi all,

I have two different key files and their associated certs in PEM encoded
files. I have two virtualhosts defined. The virtualhosts are working fine,
in as much as they are pointing at different doc roots and I can browse to
each virtual host. But both virtuals are using the cert of the first virtual
in the config file. The second virtual is not using it's own cert, even
though it's cert directives are pointing at it's own key and cert files. The
below is an edited version of my configuration.

<VirtualHost *:443>
        ServerName server1
        DocumentRoot "/server1"
        SSLEngine on
        SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        SSLCertificateFile server1.crt
        SSLCertificateKeyFile server1.key
</VirtualHost>

<VirtualHost *:443>
        ServerName server2
        DocumentRoot "/server2"
        SSLEngine on
        SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile server2.crt
        SSLCertificateKeyFile server2.key
</VirtualHost>

So when I browse to https://server2, firefox has "server2" down in the
bottom right corner of the browser window, but if I bring up the security
dialog and look at the cert, it is the server1 cert.

Any ideas?

Apache 2.0.59 binary build from sunfreeware.com plus supporting tools. Keys
and certs are self-signed, generated with openssl.

Mark


-- 
Georgia: Why am I not doing what they're doing?
Rube: Because you're doing what you're doing. When it's time for you to do
something else you'll do that.

Re: [users@httpd] Multiple certs & virtual hosts

Posted by Jaqui Greenlees <ja...@yahoo.ca>.

--- Mark Drummond <md...@gmail.com> wrote:

> Thanks Serge. I actually saw this and it had me
> confused because the name
> based virtual host is working fine (in the sense
> that I am getting the right
> content back from each virtual host) but the second
> host was using the first
> host's cert. I'll switch to IP based virtuals.
> Thanks!
> 
> Mark

Mark,
This is one that seems to catch people quite often.
I'm thinking it might be a good idea to add to the
comments for virtual host configuration in the default
httpd.conf the explicit statement that name based
virtual hosting does not work with the https protocol,
for secure sites you need to use ip based virtual
hosting. It would save a lot of people hours of
frustration.
( maybe this message will spark the idea in the
developers to change the default httpd.conf to include
this information )

Jaqui

      Get news delivered with the All new Yahoo! Mail.  Enjoy RSS feeds right on your Mail page. Start today at http://mrd.mail.yahoo.com/try_beta?.intl=ca

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Multiple certs & virtual hosts

Posted by Mark Drummond <md...@gmail.com>.

Thanks Serge. I actually saw this and it had me confused because the name
based virtual host is working fine (in the sense that I am getting the right
content back from each virtual host) but the second host was using the first
host's cert. I'll switch to IP based virtuals. Thanks!

Mark

On 09/05/07, Serge Dubrouski <se...@gmail.com> wrote:
>
> You can't have 2 different SSL certificates on one IP address. See the
> FAQ.
>
> On 5/9/07, Mark Drummond <md...@gmail.com> wrote:
> > Hi all,
> >
> > I have two different key files and their associated certs in PEM encoded
> > files. I have two virtualhosts defined. The virtualhosts are working
> fine,
> > in as much as they are pointing at different doc roots and I can browse
> to
> > each virtual host. But both virtuals are using the cert of the first
> virtual
> > in the config file. The second virtual is not using it's own cert, even
> > though it's cert directives are pointing at it's own key and cert files.
> The
> > below is an edited version of my configuration.
> >
> > <VirtualHost *:443>
> >         ServerName server1
> >         DocumentRoot "/server1"
> >         SSLEngine on
> >         SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:
> > +HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >         SSLCertificateFile server1.crt
> >         SSLCertificateKeyFile server1.key
> > </VirtualHost>
> >
> > <VirtualHost *:443>
> >         ServerName server2
> >         DocumentRoot "/server2"
> >         SSLEngine on
> >         SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >         SSLCertificateFile server2.crt
> >         SSLCertificateKeyFile server2.key
> > </VirtualHost>
> >
> > So when I browse to https://server2, firefox has "server2" down in the
> > bottom right corner of the browser window, but if I bring up the
> security
> > dialog and look at the cert, it is the server1 cert.
> >
> > Any ideas?
> >
> > Apache 2.0.59 binary build from sunfreeware.com plus supporting tools.
> Keys
> > and certs are self-signed, generated with openssl.
> >
> > Mark
> >
> > --
> > Georgia: Why am I not doing what they're doing?
> > Rube: Because you're doing what you're doing. When it's time for you to
> do
> > something else you'll do that.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
Georgia: Why am I not doing what they're doing?
Rube: Because you're doing what you're doing. When it's time for you to do
something else you'll do that.

Re: [users@httpd] Multiple certs & virtual hosts

Posted by Serge Dubrouski <se...@gmail.com>.

You can't have 2 different SSL certificates on one IP address. See the FAQ.

On 5/9/07, Mark Drummond <md...@gmail.com> wrote:
> Hi all,
>
> I have two different key files and their associated certs in PEM encoded
> files. I have two virtualhosts defined. The virtualhosts are working fine,
> in as much as they are pointing at different doc roots and I can browse to
> each virtual host. But both virtuals are using the cert of the first virtual
> in the config file. The second virtual is not using it's own cert, even
> though it's cert directives are pointing at it's own key and cert files. The
> below is an edited version of my configuration.
>
> <VirtualHost *:443>
>         ServerName server1
>         DocumentRoot "/server1"
>         SSLEngine on
>         SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:
> +HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>         SSLCertificateFile server1.crt
>         SSLCertificateKeyFile server1.key
> </VirtualHost>
>
> <VirtualHost *:443>
>         ServerName server2
>         DocumentRoot "/server2"
>         SSLEngine on
>         SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>         SSLCertificateFile server2.crt
>         SSLCertificateKeyFile server2.key
> </VirtualHost>
>
> So when I browse to https://server2, firefox has "server2" down in the
> bottom right corner of the browser window, but if I bring up the security
> dialog and look at the cert, it is the server1 cert.
>
> Any ideas?
>
> Apache 2.0.59 binary build from sunfreeware.com plus supporting tools. Keys
> and certs are self-signed, generated with openssl.
>
> Mark
>
> --
> Georgia: Why am I not doing what they're doing?
> Rube: Because you're doing what you're doing. When it's time for you to do
> something else you'll do that.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Multiple certs & virtual hosts

Posted by Joshua Slive <jo...@slive.ca>.

On 5/9/07, Mark Drummond <md...@gmail.com> wrote:
> Hi all,
>
> I have two different key files and their associated certs in PEM encoded
> files. I have two virtualhosts defined. The virtualhosts are working fine,
> in as much as they are pointing at different doc roots and I can browse to
> each virtual host. But both virtuals are using the cert of the first virtual
> in the config file. The second virtual is not using it's own cert, even
> though it's cert directives are pointing at it's own key and cert files. The
> below is an edited version of my configuration.

You must give each vhost a separate IP address. See:
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org