You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Peter Fleck <fl...@umn.edu> on 2003/10/08 23:01:45 UTC

[users@httpd] Apache 2 VirtualHost and SSL

Greetings,

I'm using name-based virtual hosting. I want to have three sites, one 
using SSL.

Running Apache 2 on Redhat Linux 9.

SSL is running at least that's what cURL  and the openSSL test say. 
And I get an error whenever I try to go to the SSL page. The error in 
the ssl_error log is:

[warn] RSA server certificate is a CA certificate (BasicConstraints: 
CA == TRUE !?)

So maybe that's the problem? I generated my own certificate and key 
for testing purposes.

Some highlights from my .conf files:

Listen 80
Listen 443

Include conf.d/ssl.conf

ServerName www.cancer.umn.edu:80
DocumentRoot "/var/www/html"

NameVirtualHost 160.94.109.179:80

<VirtualHost 160.94.109.179:80>
     ServerName www.cancer.umn.edu
     DocumentRoot /var/www/html/cc
...
</VirtualHost>

<VirtualHost 160.94.109.179:80>
     ServerName www.tturc.umn.edu
     DocumentRoot /var/www/html/tturc
...
</VirtualHost>

# THE ssl.conf file (Include above) is pretty much default except
# I commented out the 'Listen 443' since I added that above
# VirtualHost directive is:

<VirtualHost 160.94.109.179:443>
    DocumentRoot "/var/www/html/cc-secure"
    ServerName www.cancer.umn.edu
...
</VirtualHost>


### END

When I try to connect, the browser gives "Connection refused..." and 
the error I listed above appears in the ssl_error log. But when I use 
curl (curl https://www.cancer.umn.edu), I get the page in the ssl 
directory returned to the terminal window.

I'm hoping I'm missing something obvious to the experienced apache 
users here. I've scoured the docs with no luck.

Thanks.
-- 
Peter Fleck
Webmaster | University of Minnesota Cancer Center
Dinnaken Office Bldg.
925 Delaware St. SE
Minneapolis, MN  55414
612-625-8668 | fleck004@umn.edu | www.cancer.umn.edu
Campus Mail: MMC 806

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache 2 VirtualHost and SSL

Posted by Joe Apache <ap...@productivitymedia.com>.

If your using the basic SSL setup and your getting Certificate problem, 
than the certificate is your problem.  Build another certificate and 
see what happens... I'm assuming that your build your cert with -x509?

J


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache 2 VirtualHost and SSL

Posted by Peter Fleck <fl...@umn.edu>.

That's the setup for the default ssl.conf file and that's what I 
have. I just abbreviated the VirtualHost directive in my email.


>I think that the SSL enabled VirtualHost section needs those basic things
>included from ssl.conf.  The ssl.conf is setting things in a different
>context than the specific VirtualHost context.  I've had success by just
>copying all the basic uncommented things from ssl.conf into each of my SSL
>enabled VirtualHost sections.  Note that you can only have one SSL enabled
>VirtualHost per IP:port pair.
>
>Leif
>
>DocumentRoot "/usr/local/apache2/htdocs"
>ServerName www.xxx.com:443
>ServerAdmin you@your.address
>ErrorLog /path/to/logs/error_log
>TransferLog /path/to/logs/access_log
>SSLEngine on
>SSLCipherSuite
>ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>SSLCertificateFile /path/to/ssl/www.xxx.com.crt
>SSLCertificateKeyFile /path/to/ssl/www.xxx.com.key
><Files ~ "\.(cgi|shtml|phtml|php3?)$">
>     SSLOptions +StdEnvVars
></Files>
><Directory "/usr/local/apache2/cgi-bin">
>     SSLOptions +StdEnvVars
></Directory>
>SetEnvIf User-Agent ".*MSIE.*" \
>          nokeepalive ssl-unclean-shutdown \
>          downgrade-1.0 force-response-1.0
>CustomLog logs/ssl_request_log \
>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
>----- Original Message -----
>From: "Peter Fleck" <fl...@umn.edu>
>To: <us...@httpd.apache.org>
>Sent: Wednesday, October 08, 2003 5:01 PM
>Subject: [users@httpd] Apache 2 VirtualHost and SSL
>
>
>>  Greetings,
>>
>>  I'm using name-based virtual hosting. I want to have three sites, one
>>  using SSL.
>>
>>  Running Apache 2 on Redhat Linux 9.
>>
>>  SSL is running at least that's what cURL  and the openSSL test say.
>>  And I get an error whenever I try to go to the SSL page. The error in
>>  the ssl_error log is:
>>
>>  [warn] RSA server certificate is a CA certificate (BasicConstraints:
>>  CA == TRUE !?)
>>
>>  So maybe that's the problem? I generated my own certificate and key
>>  for testing purposes.
>>
>>  Some highlights from my .conf files:
>>
>>  Listen 80
>>  Listen 443
>>
>>  Include conf.d/ssl.conf
>>
>>  ServerName www.cancer.umn.edu:80
>>  DocumentRoot "/var/www/html"
>>
>>  NameVirtualHost 160.94.109.179:80
>>
>>  <VirtualHost 160.94.109.179:80>
>>       ServerName www.cancer.umn.edu
>>       DocumentRoot /var/www/html/cc
>>  ...
>>  </VirtualHost>
>>
>>  <VirtualHost 160.94.109.179:80>
>>       ServerName www.tturc.umn.edu
>>       DocumentRoot /var/www/html/tturc
>>  ...
>>  </VirtualHost>
>>
>>  # THE ssl.conf file (Include above) is pretty much default except
>>  # I commented out the 'Listen 443' since I added that above
>>  # VirtualHost directive is:
>>
>>  <VirtualHost 160.94.109.179:443>
>>      DocumentRoot "/var/www/html/cc-secure"
>>      ServerName www.cancer.umn.edu
>>  ...
>>  </VirtualHost>
>>
>>
>>  ### END
>>
>>  When I try to connect, the browser gives "Connection refused..." and
>>  the error I listed above appears in the ssl_error log. But when I use
>>  curl (curl https://www.cancer.umn.edu), I get the page in the ssl
>  > directory returned to the terminal window.

-- 
Peter Fleck
Webmaster | University of Minnesota Cancer Center
Dinnaken Office Bldg.
925 Delaware St. SE
Minneapolis, MN  55414
612-625-8668 | fleck004@umn.edu | www.cancer.umn.edu
Campus Mail: MMC 806

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache 2 VirtualHost and SSL

Posted by Leif W <wa...@usa.net>.

I think that the SSL enabled VirtualHost section needs those basic things
included from ssl.conf.  The ssl.conf is setting things in a different
context than the specific VirtualHost context.  I've had success by just
copying all the basic uncommented things from ssl.conf into each of my SSL
enabled VirtualHost sections.  Note that you can only have one SSL enabled
VirtualHost per IP:port pair.

Leif

DocumentRoot "/usr/local/apache2/htdocs"
ServerName www.xxx.com:443
ServerAdmin you@your.address
ErrorLog /path/to/logs/error_log
TransferLog /path/to/logs/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /path/to/ssl/www.xxx.com.crt
SSLCertificateKeyFile /path/to/ssl/www.xxx.com.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



----- Original Message ----- 
From: "Peter Fleck" <fl...@umn.edu>
To: <us...@httpd.apache.org>
Sent: Wednesday, October 08, 2003 5:01 PM
Subject: [users@httpd] Apache 2 VirtualHost and SSL


> Greetings,
>
> I'm using name-based virtual hosting. I want to have three sites, one
> using SSL.
>
> Running Apache 2 on Redhat Linux 9.
>
> SSL is running at least that's what cURL  and the openSSL test say.
> And I get an error whenever I try to go to the SSL page. The error in
> the ssl_error log is:
>
> [warn] RSA server certificate is a CA certificate (BasicConstraints:
> CA == TRUE !?)
>
> So maybe that's the problem? I generated my own certificate and key
> for testing purposes.
>
> Some highlights from my .conf files:
>
> Listen 80
> Listen 443
>
> Include conf.d/ssl.conf
>
> ServerName www.cancer.umn.edu:80
> DocumentRoot "/var/www/html"
>
> NameVirtualHost 160.94.109.179:80
>
> <VirtualHost 160.94.109.179:80>
>      ServerName www.cancer.umn.edu
>      DocumentRoot /var/www/html/cc
> ...
> </VirtualHost>
>
> <VirtualHost 160.94.109.179:80>
>      ServerName www.tturc.umn.edu
>      DocumentRoot /var/www/html/tturc
> ...
> </VirtualHost>
>
> # THE ssl.conf file (Include above) is pretty much default except
> # I commented out the 'Listen 443' since I added that above
> # VirtualHost directive is:
>
> <VirtualHost 160.94.109.179:443>
>     DocumentRoot "/var/www/html/cc-secure"
>     ServerName www.cancer.umn.edu
> ...
> </VirtualHost>
>
>
> ### END
>
> When I try to connect, the browser gives "Connection refused..." and
> the error I listed above appears in the ssl_error log. But when I use
> curl (curl https://www.cancer.umn.edu), I get the page in the ssl
> directory returned to the terminal window.
>
> I'm hoping I'm missing something obvious to the experienced apache
> users here. I've scoured the docs with no luck.
>
> Thanks.
> -- 
> Peter Fleck
> Webmaster | University of Minnesota Cancer Center
> Dinnaken Office Bldg.
> 925 Delaware St. SE
> Minneapolis, MN  55414
> 612-625-8668 | fleck004@umn.edu | www.cancer.umn.edu
> Campus Mail: MMC 806
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org