| View previous topic :: View next topic |
| Author |
Message |
mistay
n00b
Joined: 19 Apr 2005
Posts: 26
|
 Posted: Sun Sep 11, 2005 4:43 pm Post subject: ssl certificates |
 |
|
hi there
i tried to setup a couple of virtual hosts in apache with ssl support. my config looks like:
| Code: | <VirtualHost <IP>:443>
...
SSLCertificateFile /etc/apache2/conf/ssl/vhost1.crt
SSLCertificateKeyFile /etc/apache2/conf/ssl/vhost1.key
</VirtualHost>
<VirtualHost <IP>:443>
...
SSLCertificateFile /etc/apache2/conf/ssl/vhost2.crt
SSLCertificateKeyFile /etc/apache2/conf/ssl/vhost2.key
</VirtualHost>
|
as i start apache there occurs no error in the vhost's error log, so the key/certs are probably correctly installed.
but when i try to connect with the webbrowser to vhost2, the browser claims that the certificate of vhost1 does not match the servername of vhost2. this results in a nasty messagebox and the assumption that the certs were not installed correctly.
any thoughts?
regards, armin. |
|
| Back to top |
|
 |
ekutay
l33t
Joined: 30 Mar 2005
Posts: 636
Location: Berlin
|
| Posted: Sun Sep 11, 2005 7:48 pm Post subject: |
|
|
Are the server names different for your virtual hosts? You use IP based virtual host. The name or alias of the vhost has to be the same as the name on the certificate, otherwise you get the delightful message box.
Have you set the ServerName directive somewhere in your confguration or in a virtual host context directly?
_________________
-- erol |
|
| Back to top |
|
|
mistay
n00b
Joined: 19 Apr 2005
Posts: 26
|
| Posted: Sun Sep 11, 2005 8:53 pm Post subject: |
|
|
thanx for your quick response!
the server names are within the virtual host definitions. a typical config looks like:
| Code: |
<VirtualHost 62.99.210.121:80>^M
DocumentRoot /web/langhofer/100/langhofer.at/htdocs^M
ServerName langhofer.at^M
ServerAlias *.langhofer.at langhofer.de *.langhofer.de langhofer.name *.langhofer.name^M
ErrorDocument 404 http://langhofer.at/404.php^M
ErrorLog /web/langhofer/100/langhofer.at/logs/error.log^M
TransferLog /web/langhofer/100/langhofer.at/logs/access.log ^M
^M
^M
ScriptAlias /cgi-bin /web/langhofer/100/langhofer.at/cgi-bin^M
Alias /webalizer /web/langhofer/100/langhofer.at/webalizer^M
<Directory "/web/langhofer/100/langhofer.at/htdocs">
AllowOverride AuthConfig^M
</Directory>^M
<Directory "/web/langhofer/100/langhofer.at/webalizer">^M
Redirect /webalizer https://langhofer.at/webalizer^M
</Directory>^M
.. some php config parameter ..
</VirtualHost>^M
|
and nearly the same config for port 443 https://
| Code: | <VirtualHost 62.99.210.121:443>^M
DocumentRoot /web/langhofer/100/langhofer.at/htdocs^M
ServerName langhofer.at^M
... exactly the same as in the :80 vhost lines are cut here ...
SSLEngine on^M
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL^M
SSLCertificateFile /etc/apache2/conf/ssl/server.crt^M
SSLCertificateKeyFile /etc/apache2/conf/ssl/server.key^M
</VirtualHost>^M
|
|
|
| Back to top |
|
|
ekutay
l33t
Joined: 30 Mar 2005
Posts: 636
Location: Berlin
|
| Posted: Sun Sep 11, 2005 9:58 pm Post subject: |
|
|
First, what are those ^M? You better remove windows line endings, dos2unix is your friend. 
The CN of the certificate is web2.langhofer.net for | Code: | | openssl s_client -connect langhofer.at:443 |
Don't know if this is the real server though.
_________________
-- erol |
|
| Back to top |
|
|
mistay
n00b
Joined: 19 Apr 2005
Posts: 26
|
| Posted: Sun Sep 11, 2005 10:18 pm Post subject: |
|
|
ekutay, thanx for your super-quick responses.
the first vhost is langhofer.net, the second is webgast.at
both langhofer.net and webgast.at return the outdated certificate "web2.langhofer.net" although i configured webgast.at to use another certificate (another file).
langhofer.net
| Code: | SSLCertificateFile /etc/apache2/conf/ssl/server.crt^M
SSLCertificateKeyFile /etc/apache2/conf/ssl/server.key^M
|
webgast.at
| Code: | SSLCertificateFile /etc/apache2/conf/ssl/webgast.at.crt^M
SSLCertificateKeyFile /etc/apache2/conf/ssl/webgast.at.key^M
|
it seems that apache uses the certificate of langhofer.net instead of the one provided in the webgast.at vhost ... dont know why.
--
the ^M is a result of generating the config file by a script and copying it over ssh onto another server, just ignore it, it has nothing to do with the problem here ... |
|
| Back to top |
|
|
ekutay
l33t
Joined: 30 Mar 2005
Posts: 636
Location: Berlin
|
| Posted: Sun Sep 11, 2005 10:49 pm Post subject: |
|
|
If you switch the order in your config which file is selected? No, don't try, just kidding.
Your setup will not work imho. Reason is, that you are trying to register the two ssl-certificates using IP based virtual hosting. For this you'd need different IP addresses, what is not the case on my side of the line. | Quote: | erol@ARILLIN:~ > host langhofer.net
langhofer.net has address 62.99.210.121
erol@ARILLIN:~ > host webgast.at
webgast.at has address 62.99.210.121 |
Add a line containg | Code: | | NameVirtualHost 62.99.210.121 |
before the virtual host statements. This should activate name based virtual hosting.
Edit: And .... fix the script then 
_________________
-- erol |
|
| Back to top |
|
|
mistay
n00b
Joined: 19 Apr 2005
Posts: 26
|
| Posted: Mon Sep 12, 2005 7:04 pm Post subject: |
|
|
hi
i already have those directives. otherwise apache throws me an error message.
i have:
| Code: | NameVirtualHost 62.99.210.121:80
NameVirtualHost 62.99.210.121:443
Include conf/vhosts/vhosts-generated.conf
|
regards, armin. |
|
| Back to top |
|
|
Reppy
n00b
Joined: 08 Jun 2004
Posts: 6
Location: Germany
|
| Posted: Mon Sep 12, 2005 11:18 pm Post subject: |
|
|
Hi there
i have the same problem.
Apache only imports the first SSL-Certificate. All following certificates are ignored.
Syslog normaly logs
| Quote: |
[Tue Sep 13 00:54:02 2005] [warn] RSA server certificate CommonName (CN) `www.your-domain.tld' does NOT match server name!?
|
when the "CN" and the "ServerName" do not match.
When connecting to a SSL-Vhost (other than the first) it logs no error at all. It just logs the access to the vhost.
The browser tells me that the hostname and the CN do not match and when I ignore this "error" I can use the vhost I set up. Only the wrong certificate is loaded.
All the paths are ok and the certificates have all the right CN (=ServerName)
My apache-ssl-config is the "same" like above..,
horrable  |
|
| Back to top |
|
|
mistay
n00b
Joined: 19 Apr 2005
Posts: 26
|
| Posted: Tue Sep 13, 2005 4:07 pm Post subject: |
|
|
i tried to explain exactly that what you're talking about.
the vhost's ssl certificate path is (kind of) simply ignored.
| Code: | Tue 13.09.|18:06:22 web2 ~ # apache2ctl -v
Server version: Apache/2.0.51
Server built: Oct 2 2004 01:59:48
T |
any thoughts? |
|
| Back to top |
|
|
ekutay
l33t
Joined: 30 Mar 2005
Posts: 636
Location: Berlin
|
| Posted: Tue Sep 13, 2005 11:13 pm Post subject: |
|
|
Sorry, during this thread I forgot the initial topic. As far as I know you cannot use name based virtual host for SSL, hence you need two IP addresses.
_________________
-- erol |
|
| Back to top |
|
|
mistay
n00b
Joined: 19 Apr 2005
Posts: 26
|
| Posted: Wed Sep 14, 2005 6:54 pm Post subject: |
|
|
http://www.webmasterworld.com/forum92/3356.htm
either the port number or the ip address has to be unique in order to work with ssl 
Last edited by mistay on Thu Sep 15, 2005 7:27 pm; edited 1 time in total |
|
| Back to top |
|
|
mistay
n00b
Joined: 19 Apr 2005
Posts: 26
|
| Posted: Thu Sep 15, 2005 7:27 pm Post subject: |
|
|
hey there,
i setup another vhost running on a unique port (tcp/444) and tadaaa: the certificate was accepted immediatly; so the config was correct but the port number not.
so ... this thread is now resolved, regards, armin. |
|
| Back to top |
|
|
|
Networking & Security
