LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-11-2005, 11:54 PM   #1
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Rep: Reputation: 30
Multiple RSA Server Certificate


I have many domains in one machine (virtual hosts) and one required SSL.
I got my cert from Thawte.

As I link to my cert via ssl.conf, if I were to need SSL for my other domains, how should I do it? I read somewhere that it can't be done for cert from CAs, but self-signed possible.. anyone?

I link to my ssl via ssl.conf under the option SSLCertificateFile.
I commented the default one (server.key) and linked to mine own one (domainname.com.key)

please advice
 
Old 07-12-2005, 03:50 AM   #2
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
You can have multiple certs, you need a separate IP address for each website and then in httpd.conf you can set up IP-based virtual hosts. Name based birtual hosts will not work with the secure protocol
 
Old 07-12-2005, 04:00 AM   #3
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by phil.d.g
You can have multiple certs, you need a separate IP address for each website and then in httpd.conf you can set up IP-based virtual hosts. Name based birtual hosts will not work with the secure protocol
Currently I am having 1 physical machine with many virtual host: that is consider named-based hosting with virtual host is it? not sure if the terminology used is right here...

So basically.. means I can't? Trying to find proper documentation to show my superior on this... only found one out dated one that talks about it
 
Old 07-12-2005, 05:17 AM   #4
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
You can have many IP addresses point to your physical machine. My ISP have assigned me a block of 8 IPs that all point to my router for example. If you only have the 1 IP then you are stuck with namebased virtual hosting and can't have multiple secure virtual hosts on your machine.

IP based virtual hosts is where apache decides which wesbite to serve dependant on which IP the browser used to access the site.

Name based virtual hosts is where apache decides which website to serve dependant on the actual domain specified in the address bar of the browser, this only works with the newer http/1.1 version, which most browsers support anyway. Normally in this case all domains hosted on the server have A records pointing to the same IP

Last edited by phil.d.g; 07-12-2005 at 05:20 AM.
 
Old 07-15-2005, 12:07 AM   #5
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
if say I can achieve/get multiple IPs for my one server, how do I set my ssl.conf to use the multipe cert/keys?

currently i point SSLCertificateFile to the one i have... and the SSLCertificateKey to the key...

when i try to add a second line to add the default server.key httpd can't start..

please advise
 
Old 07-15-2005, 04:10 AM   #6
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
You'll find a section in ssl.conf if using apache2 or at the bottom of httpd.conf if using apache1.3 like:
Code:
<VirtualHost _default_:443>
...
lots of options
...
<VirtualHost>
Copy and paste the whole section and for the second change the options to point to the new certificates and wesbite content, for both virtual hosts change _default_ in the line <VirtualHost _default_:443> to one of your allocated IPs and check in httpd.conf that apache is listening on all IPs and restricted to 1.

Last edited by phil.d.g; 07-15-2005 at 04:11 AM.
 
Old 07-15-2005, 06:45 AM   #7
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by phil.d.g
You'll find a section in ssl.conf if using apache2 or at the bottom of httpd.conf if using apache1.3 like:
Code:
<VirtualHost _default_:443>
...
lots of options
...
<VirtualHost>
Copy and paste the whole section and for the second change the options to point to the new certificates and wesbite content, for both virtual hosts change _default_ in the line <VirtualHost _default_:443> to one of your allocated IPs and check in httpd.conf that apache is listening on all IPs and restricted to 1.
oooh so 2 sets of options for 2 host with different IPs?

then whats the diff if i specify the .key and .crt in this ssl.conf, as compared to specifiying it in httpd.conf?

Mine current config is such that... in httpd.conf for one of the virtual host...
Quote:
<IfDefine HAVE_SSL>
<VirtualHost *:443>
ServerAdmin admin@domain.com
DocumentRoot /home/www/wwwroot
ServerName www.domain.com
ServerAlias www2.domain.com.sg
ErrorDocument 402 /core/error400.php
ErrorDocument 403 /core/error400.php
ErrorDocument 404 /core/error400.php
ErrorDocument 500 /core/error400.php
CustomLog /var/log/httpd/www.domain.com.access_log common
ErrorLog /var/log/httpd/www.domain.com.error_log
SSLEngine off
SSLCertificateFile /etc/httpd/conf/ssl.crt/www2.domain.com.sg.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www2.domain.com.sg.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
</IfDefine>
In ssl.conf I have 3 lines that I changed...

Quote:
DocumentRoot "/home/www/wwwroot"
SSLCertificateFile /etc/httpd/conf/ssl.crt/www2.domain.com.sg.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www2.domain.com.sg.key
1) SSL Engine is off in httpd.conf, ssl still works somehow??

2) I point directly to the document root, sslcert and sslkey... correct? because httpd.conf i specify also... double job? Initialy I had problem with ssl as i configure httpd.conf only, but after i configure ssl.conf it works. seems like configuring in httpd.conf don make any effect?

and it was through configuring this i realise... works only for one virutal host...

3) my cert is www2.domain.com.sg, as i was told must be same name as domain, but if i have a different alias as in this case www.domain.com, how? will it still work?

4) SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
what does it mean?

5) so must these settings be same for ssl.conf and httpd.conf ??

thanks
 
Old 07-15-2005, 08:10 AM   #8
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
no, if you have a ssl.conf file then put all your configuration in there, in httpd.conf it will include the file ssl.conf, only in earlier versions of apache you didn't get a ssl.conf, everything was put into httpd.conf. Just to make myself clear if there is a ssl.conf file then put everything to do with ssl in that and not httpd.conf.

If you have an alias and set it up correctly it should go to the right site but you will get an error similar to this image. I'll leave that image on my server for a couple of days only.

I'm not entirely sure what the line in 4 does, alls I know it is required for internet explorer, its due to a bug or incompatability with Microsoft's browser, I'm not sure which

And to reiterate, since you asked again, the ssl options only go in one of the config files, and only httpd.conf if and only if ssl.conf doesn't exist

Last edited by phil.d.g; 07-15-2005 at 08:12 AM.
 
Old 07-18-2005, 12:18 AM   #9
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by phil.d.g
no, if you have a ssl.conf file then put all your configuration in there, in httpd.conf it will include the file ssl.conf, only in earlier versions of apache you didn't get a ssl.conf, everything was put into httpd.conf. Just to make myself clear if there is a ssl.conf file then put everything to do with ssl in that and not httpd.conf.

If you have an alias and set it up correctly it should go to the right site but you will get an error similar to this image. I'll leave that image on my server for a couple of days only.

I'm not entirely sure what the line in 4 does, alls I know it is required for internet explorer, its due to a bug or incompatability with Microsoft's browser, I'm not sure which

And to reiterate, since you asked again, the ssl options only go in one of the config files, and only httpd.conf if and only if ssl.conf doesn't exist
Hi saw the image.. meaning to say.. i can't have the ssl cert work for both the actual domain and the alias name? or is there a way around it?

ok, i am using apache2...

hmm so saying that.. the DocumentRoot in ssl.conf will supercede the DocumentRoot in httpd.conf for the name-based virtual host that is ssl-enabled?
Meaning to say, whatever I do in httpd.conf for this virtual host (DocumentRoot, SSLCertificateFile, SSLCertificateKeyFile), as long as I specify it in ssl.conf it will take effect from there?

Same goes for SSLEngine On/Off ?

thanks dude!
 
Old 07-18-2005, 04:13 AM   #10
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
I certificate is only good for one domain, if you set an alias then try and connect with that alias you will get the message in the link, it doesn't mean that the actual connection is any less secure though, it means that you are connecting to one host but the certificate is for another host. There is no way around this. For every hostname/domain you need a separate cert and and a IP dedicated to that domain.

ssl.conf is included in httpd.conf, see the end of section2 of httpd.conf. You don't want to be setting one host in ssl.conf and the same host in httpd.conf, that will just lead to unpredictable results, well maybe not unpredictable but I don't know which one apache will use, the first settings or the last.

In the earlier 1.3 series of apache there wasn't an ssl.conf, it was all appended to httpd.conf.

Keep all the ssl stuff in ssl.conf and keep the global configuration and virtual hosts (name or IP based) for normal connections (port 80) in httpd.conf
 
Old 07-19-2005, 04:40 AM   #11
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by phil.d.g
I certificate is only good for one domain, if you set an alias then try and connect with that alias you will get the message in the link, it doesn't mean that the actual connection is any less secure though, it means that you are connecting to one host but the certificate is for another host. There is no way around this. For every hostname/domain you need a separate cert and and a IP dedicated to that domain.

ssl.conf is included in httpd.conf, see the end of section2 of httpd.conf. You don't want to be setting one host in ssl.conf and the same host in httpd.conf, that will just lead to unpredictable results, well maybe not unpredictable but I don't know which one apache will use, the first settings or the last.

In the earlier 1.3 series of apache there wasn't an ssl.conf, it was all appended to httpd.conf.

Keep all the ssl stuff in ssl.conf and keep the global configuration and virtual hosts (name or IP based) for normal connections (port 80) in httpd.conf
Because I was following a document to specify <IfDefine_HAVESSL> in httpd where i set the virtual host... so your recommendation is that I ignore it totally, and just leave everything (virtual host settings) as it is, and not put

- SSLEngine On
- SSLCertificateFile
- SSLCertificateKeyFile
- SetEnvIf User-Agent

if i just have the standard <VirtualHost></VirtualHost> without defining SSL, will the https connection to the particular domain still work?

For the last one, without it in the virtual host area, site won't work in IE...
the SSLEngine... doesn't make any difference...

SSLCertificateFile and SSLCertificateKeyFile

there?

Or I still need it to be there?

For document root, i think i will leave it at the virtual host settings as you mentioned.
 
Old 07-19-2005, 09:25 AM   #12
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
Follow the guide you have but instead of editing httpd.conf, edit ssl.conf - you will find all the defaults have been set in there and you can change them to suit your particular environment. It seems with the newest versions of apache they want to separate the ssl config from the rest of the configuration
 
Old 07-19-2005, 09:55 PM   #13
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by phil.d.g
Follow the guide you have but instead of editing httpd.conf, edit ssl.conf - you will find all the defaults have been set in there and you can change them to suit your particular environment. It seems with the newest versions of apache they want to separate the ssl config from the rest of the configuration
What about SSLEngine On/Off?
And do I still need to define another similiar set of virtual host settings with addiditonal <IfDefine_HAVESSL></IfDefine> tags?

thanks dude, you've been great help!
 
Old 07-20-2005, 06:30 AM   #14
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
been doing some testing (as I am trying to get the ssl site to work via a load balancer - headache... but fun at the same time)

just did some test and have some thoughts. am i right to say.. if i already have a <Virtualhost> setting for a particular domain, and I want it to have SSL connectivity, i can ignore adding another <VirtualHost> settings with the <IfDefine_HAVESSL> settings? As long as in ssl.conf i point:

- DocumentRoot
- SSLCertificateFile
- SSLCertificateKeyFile....

correctly, it will automatically allow the SSL connection? No need to create an extra virtual host tage just for port 443 and ssl blah blah?


And if say, I want to allow multiple named based virtual host to have SSL (but only 1 IP - yeah shitty huh), I can spoof it by creating another <virtualhost> in ssl.conf but use another port.. say.. port 444... will it work? if the links are given such as https://domainwithssl.com:444

thanks people!
 
Old 07-20-2005, 08:44 AM   #15
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
SSLEngine On/Off should be in ssl.conf

<If Define SSL> bit tells apache to only use these options if you have issued a `httpd startssl` rather than just `httpd start`, you still need the virtual host bit.

Yes you can have different secure sites on different ports with the same IP, but only 1 secure site per port.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache certificate server progjm Linux - Security 4 07-09-2005 03:10 PM
SSH use RSA server through Firewall gtomczyk Linux - Security 1 09-11-2003 06:03 PM
Linux ssh with Windows RSA server gtomczyk Linux - Software 0 09-08-2003 05:22 PM
Apache (mod_ssl) causes server to die because of missing DSA certificate BxBoy Linux - Software 1 08-18-2003 02:08 PM
2 certificate ssl in 1 server apache simquest Linux - Software 2 07-24-2002 12:47 PM


All times are GMT -5. The time now is 10:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration