LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-01-2012, 11:25 AM   #1
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Rep: Reputation: 1
Setup sample SSL subdomain site but keeps going to www


I am getting a bit confused with what I have done here.

I got SSL working on HTTPS, the problem is I have say https://subdomain.mydomain.com

But I don't want it to go to https://www.mydomain.com it's doing that though.

I have the following configs but this doesn't work:
Quote:
<VirtualHost *:443>
ServerAdmin webmaster@mydomain.com
Servername subdomain.mydomain.com
DocumentRoot /var/www/subdomain.mydomain.com

<Directory "/var/www/subdomain.mydomain.com">
Order allow,deny
Allow from All
Options None
AllowOverride None
</Directory>

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/subdomain.mydomain.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/subdomain.mydomain.com.key
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

</VirtualHost>
There's got to be something obvious I have overlooked but I really am stuck, any helps appreciated,
Jeremy.
 
Old 02-01-2012, 12:22 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Hi,

I see you're using <VirtualHost *:443>.
Do you have other ssl vhosts defined along with subdomain.mydomain.com? If you have more than 1 ssl vhosts, then it looks like apache somehow does not read the config you've posted and it uses the default vhost, that I guess is www.mydomain.com. Also for multiple ssl vhosts you have to add:
Code:
NameVirtualHost *:443
If you have just one ssl vhost, then remove the <VirtualHost *:443> tag (and the closing </VirtualHost>), so there is only subdomain.mydomain.com defined as default ssl vhost.

Regards
 
Old 02-01-2012, 12:31 PM   #3
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Original Poster
Rep: Reputation: 1
I will check but I don't have any virtual hosts on ssl at all.

Could it be the unsecured ones that are causing the problem then? Ie the ones that are just http?
 
Old 02-01-2012, 12:43 PM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
If you don't have other ssl vhosts on that same apache, then remove the 2 tags (<VirtualHost *:443> and </VirtualHost>) as they are of no use here.
Also you can post httpd.conf, ssl.conf and any other config files that can be of help, so we can have a better look at your apache configuration.
 
Old 02-01-2012, 01:18 PM   #5
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Original Poster
Rep: Reputation: 1
Ok I will get back to you, thanks for your help so far.

Jeremy.
 
Old 02-01-2012, 02:33 PM   #6
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Original Poster
Rep: Reputation: 1
Ok I have it the virtual hosts that this works on so to speak this is:

Quote:
<VirtualHost *:80>
ServerAdmin webmaster@mydomain.co.uk
DocumentRoot /www/mydomain.co.uk/html
ServerName www.mydomain.co.uk

ErrorLog /www/mydomain.co.uk/logs/www.mydomain.co.uk-error_log
CustomLog /www/mydomain.co.uk/logs/www.mydomain.co.uk-access_log "combined"

LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IndexIgnore .htaccess .??* *~ *# HEADER* README* RCS CVS *,v *,t *.inc *.csv *.txt *.sql

<Directory "/www/mydomain.co.uk/html">
Options None
Order allow,deny
Allow from all
</Directory>

<Directory "/www/mydomain.co.uk/html/images">
# Options None
Options +Indexes
Order allow,deny
Allow from all
</Directory>


AddHandler cgi-script .cgi .pl
ScriptAlias /cgi-bin "/www/mydomain.co.uk/cgi-bin/"

<Directory "/www/mydomain.co.uk/cgi-bin">
Options +ExecCGI
Order allow,deny
Allow from all
</Directory>

AliasMatch ^/manual(?:/(?:de|en|fr|ja|ko|ru))?(/.*)?$ "/var/www/manual$1"

<Directory "/var/www/manual">
Options Indexes
Order deny,allow
Deny from All
Allow from 192.168.0.0/24
Allow from 84.12.98.134
</Directory>

Alias /php-manual "/var/www/php_manual_last_update_16092011_1018/php-chunked-xhtml"

<Directory "/var/www/php_manual_last_update_16092011_1018/php-chunked-xhtml">
Order deny,allow
Deny from All
Allow from 192.168.0.0/24
Allow from 84.12.98.134
Options None
</Directory>


Alias /zend-documentation "/usr/share/Zend-Framework/documentation"
Alias /zend-manual "/usr/share/Zend-Framework/documentation"

<Directory "/usr/share/Zend-Framework/documentation">
Order deny,allow
Deny from All
Allow from 192.168.0.0/24
Allow from 84.12.98.134
Options +Indexes
</Directory>

Alias /phpmyadmin "/www/mydomain.co.uk/html/phpMyAdmin/"

<Directory "/www/mydomain.co.uk/html/phpMyAdmin/">
Order deny,allow
Deny from all
Allow from all
# Allow from 192.168.0.0/24
# Allow from 84.12.98.134
</Directory>

<Directory "/www/mydomain.co.uk/html/phpMyAdmin/libraries">
Order allow,deny
Deny from all
</Directory>

<Directory "/www/mydomain.co.uk/html/phpMyAdmin/scripts">
Order deny,allow
Deny from All
</Directory>

<Directory "/www/mydomain.co.uk/html/phpMyAdmin/setup">
order deny,allow
deny from all
# Allow from 192.168.0.0/24
# Allow from 84.12.98.134
</Directory>

Alias /xcart-test "/www/mydomain.co.uk/xcart-test"

<Directory "/www/mydomain.co.uk/xcart-test">
Order deny,allow
Deny from all
Allow from 192.168.0.0/24
Allow from 84.12.98.134
php_value register_long_arrays 1
</Directory>

RedirectPermanent /webmail "http://webmail.mydomain.co.uk"
RedirectPermanent /mailadmin "http://mailadmin.mydomain.co.uk"

<Directory "/www/mydomain.co.uk/html/images">
Options +Indexes
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerAdmin webmaster@mydomain.co.uk


DocumentRoot /var/www/postfixadmin-2.3.2
ServerName mailadmin.mydomain.co.uk

ErrorLog /www/mydomain.co.uk/logs/mailadmin.mydomain.co.uk-error_log
CustomLog /www/mydomain.co.uk/logs/mailadmin.mydomain.co.uk-access_log "combined"

LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IndexIgnore .htaccess .??* *~ *# HEADER* README* RCS CVS *,v *,t *.inc *.csv *.txt *.sql

<Directory "/var/www/postfixadmin-2.3.2">
Order allow,deny
Allow from all
Options None
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerAdmin webmaster@mydomain.co.uk
# DocumentRoot /var/www/roundcubemail-0.5.1
DocumentRoot /var/www/roundcubemail-0.7.1
ServerName webmail.mydomain.co.uk

ErrorLog /www/mydomain.co.uk/logs/webmail.mydomain.co.uk-error_log
CustomLog /www/mydomain.co.uk/logs/webmail.mydomain.co.uk-access_log "combined"

LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IndexIgnore .htaccess .??* *~ *# HEADER* README* RCS CVS *,v *,t *.inc *.csv *.txt *.sql

<Directory "/var/www/roundcubemail-0.7.1">
Order allow,deny
Allow from All
Options None
AllowOverride None
</Directory>
</VirtualHost>

## secure https webmail:
<VirtualHost *:443>
ServerAdmin webmaster@mydomain.co.uk
Servername webmail.mydomain.co.uk
DocumentRoot /var/www/roundcubemail-0.7.1

<Directory "/var/www/roundcubemail-0.7.1">
Order allow,deny
Allow from All
Options None
AllowOverride None
</Directory>

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/webmail.mydomain.co.uk.cert
SSLCertificateKeyFile /etc/pki/tls/private/webmail.mydomain.co.uk.key
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

</VirtualHost>
This is my ssl config if you are interested in seeing if this is causing the problem:
Quote:
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#

LoadModule ssl_module modules/mod_ssl.so

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443

##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##

#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

#<VirtualHost _default_:443> (this was uncommented)

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
#ErrorLog logs/ssl_error_log (this was uncommented)
#TransferLog logs/ssl_access_log (this was uncommented)
#LogLevel warn (this was uncommented)

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
#SSLEngine on (this was uncommented)

# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
#SSLProtocol all -SSLv2 (this was uncommented)

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW (this was uncommented)

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt (this was uncommented)

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key (this was uncommented)

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

#<Files ~ "\.(cgi|shtml|phtml|php3?)$"> (this was uncommented all Files lines)
# SSLOptions +StdEnvVars
#</Files>

#<Directory "/var/www/cgi-bin"> (this was uncommented all Directory lines)
# SSLOptions +StdEnvVars
#</Directory>

# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
#SetEnvIf User-Agent ".*MSIE.*" \ (this was uncommented all the 2 below lines aswell!)
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog logs/ssl_request_log \ (this was uncommented just the below line aswell and the ending VirtualHost tag!)
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

#</VirtualHost>

# Trial for webmin (eventually get it to redirect to the https protocol when working!)
#<VirtualHost _default_:443>

#</VirtualHost>

The virtual hosts part is of course commented out, any advice is much appreciated,
Jeremy
 
Old 02-01-2012, 04:42 PM   #7
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
As I said, since you have only one ssl (v)host, remove (or comment out) the 2 lines (<VirtualHost *:443> and </VirtualHost>) and restart apache. It's maybe better to move the rest into ssl.conf just to keep the ssl stuff together.
And you can run:
Code:
apachectl -S
to see if your ssl server is the default one

Regards
 
1 members found this post helpful.
Old 02-02-2012, 09:09 AM   #8
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Original Poster
Rep: Reputation: 1
I get you when it comes to removing those <VirtualHost *:443> parts but there's now (not not (typo apologies)) an error with firefox say trying to connect to the section of the site.

Something along the lines of:
Quote:
An error occurred during a connection to webmail.mydomain.co.uk.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)
This is the output of the VirtualHosts config check:
Quote:
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80 is a NameVirtualHost
default server www.mydomain.com (/etc/httpd/conf.d/mydomain.com.conf:1)
port 80 namevhost www.mydomain2.com (/etc/httpd/conf.d/mydomain2.com.conf:1)
port 80 namevhost www.mydomain3.co.uk (/etc/httpd/conf.d/mydomain3.co.uk.conf:1)
port 80 namevhost mailadmin.mydomain.co.uk (/etc/httpd/conf.d/mydomain.co.uk.conf:118)
port 80 namevhost www.mydomain.me.uk (/etc/httpd/conf.d/mydomain.me.uk.conf:1)
port 80 namevhost blog.mydomain.me.uk (/etc/httpd/conf.d/mydomain.me.uk.conf:53)
Syntax OK
As I feared that has not included it as a virtualhost the ssl part I mean this is the ssl.conf as it is now:
Quote:
LoadModule ssl_module modules/mod_ssl.so

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default


SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice builtin
#SSLCryptoDevice ubsec


ServerAdmin webmaster@mydomain.co.uk
Servername webmail.mydomain.co.uk
DocumentRoot /var/www/roundcubemail-0.7.1

<Directory "/var/www/roundcubemail-0.7.1">
Order allow,deny
Allow from All
Options None
AllowOverride None
</Directory>

SSLCertificateFile /etc/pki/tls/certs/webmail.mydomain.co.uk.cert
SSLCertificateKeyFile /etc/pki/tls/private/webmail.mydomain.co.uk.key
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
I got rid of allot of rubbish and took the old one out of the whole directory and started using the parts that do actually work:

The bizarre thing is the whole httpd service still runs even when the SSL site is not appearing at all the webmail I mean, which is what I wanted to start off encrypting.

Any helps much appreciated as usual,
Jeremy

Last edited by j.smith1981; 02-02-2012 at 09:25 AM. Reason: typo error said not when I really meant now
 
Old 02-02-2012, 10:19 AM   #9
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Original Poster
Rep: Reputation: 1
I just wanted to add actually I have modifed the ssl.conf to:

Quote:
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80 is a NameVirtualHost
default server www.mydomain1.com (/etc/httpd/conf.d/cafdiscos.com.conf:1)
port 80 namevhost www.mydomain1.com (/etc/httpd/conf.d/cafdiscos.com.conf:1)
port 80 namevhost www.mydomain2.co.uk (/etc/httpd/conf.d/hsmedia.co.uk.conf:1)
port 80 namevhost mailadmin.mydomain2.co.uk (/etc/httpd/conf.d/hsmedia.co.uk.conf:118)
port 80 namevhost webmail.mydomain2.co.uk (/etc/httpd/conf.d/hsmedia.co.uk.conf:143)
port 80 namevhost www.mydomain3.me.uk (/etc/httpd/conf.d/jeremysmith.me.uk.conf:1)
port 80 namevhost blog.mydomain3.me.uk (/etc/httpd/conf.d/jeremysmith.me.uk.conf:53)
*:443 is a NameVirtualHost
default server webmail.mydomain2.co.uk (/etc/httpd/conf.d/ssl.conf:83)
port 443 namevhost webmail.mydomain2.co.uk (/etc/httpd/conf.d/ssl.conf:83)
Syntax OK
I added the tag NameVirtualHost to the ssl.conf but it's still leaking into the other subdomains is there anyway of stopping apache from doing this?

Thanks for your help, been trying myself but just can not work out a way of doing this.

Sorry changing something in this post actually if I change the order by which they appear in the configs I can get them to change which ssl cert to go for but I mean just doesn't make allot of sense

Jeremy

Last edited by j.smith1981; 02-02-2012 at 10:47 AM.
 
Old 02-02-2012, 11:29 AM   #10
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Original Poster
Rep: Reputation: 1
Ahh there's a FAQ here I have just discovered that's the reason why this won't work:

http://httpd.apache.org/docs/2.0/ssl...aq.html#vhosts

I apologise for taking up your time, will actually google a work around on the web I am sure someones done it and will post it on my blog.

Thank you anyways.
 
Old 02-02-2012, 11:33 AM   #11
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
I added the tag NameVirtualHost to the ssl.conf but it's still leaking into the other subdomains is there anyway of stopping apache from doing this?
What you mean by that? What is the other subdomains you're talking about?
Can you visit https://webmail.mydomain.co.uk

Quote:
Ahh there's a FAQ here I have just discovered that's the reason why this won't work:

http://httpd.apache.org/docs/2.0/ssl...aq.html#vhosts
FYI this is no longer true with apache 2.212 and newer that use TLS and the new SSLStrictSNIVHostCheck directive.
See this for details.

Last edited by bathory; 02-02-2012 at 05:04 PM. Reason: Add info about ssl vhosts
 
Old 02-02-2012, 05:29 PM   #12
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Original Poster
Rep: Reputation: 1
Question

All I want to really logically is have different certs for different subdomains.

Say I had the name subdomain.mydomain and subdomaintest.mydomain.com just as a random example.

I would like to have 2 certificates for those 2 subdomains (if at all possible) and then having say different certs for other domains, I actually have 3 that go onto my sever you see.

It's really just a test to see if I can get SSL working something I have always been interested in getting working to be brutally honest, seen allot of work in freelance stuff and this is really good thank you for being so patient I truly appreciate it!

I look forward to your next reply, that's basically the result I would like (though I am interested in the SNI thing), going to have a look at that and compare the version of apache you mentioned with what's installed, it is though Centos 5.7 what I do actually run at the moment though I am not sure what version of apache it is at present.

Would it be suffice to use a command like rpm -q and http maybe or httpd (depending on which one actually works) to find out my version of apache? I have never queried the apache server on my node.

I actually have done httpd as the query on rpm and comes back as: httpd-2.2.3-53.el5.centos.3

Last edited by j.smith1981; 02-02-2012 at 05:52 PM.
 
Old 02-02-2012, 06:19 PM   #13
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Original Poster
Rep: Reputation: 1
I think I am going to have to call it a day on this unless they update the httpd rpm version.

I could install it manually but to be honest I would rather just leave it.

I'ts RHEL 4 I believe CentOS 5.7 to actually be, though I do have the repos for this: http://repo.webtatic.com/yum/centos/5/x86_64/

Last edited by j.smith1981; 02-02-2012 at 06:22 PM.
 
Old 02-03-2012, 12:30 AM   #14
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,907

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
All I want to really logically is have different certs for different subdomains.
Now you mention that you want to setup 2 ssl vhosts. Till now I was under the impression that you were trying to setup a single ssl subdomain.
Anyway, since your apache is quite dated, I'm afraid you cannot use SNI for multiple ssl vhosts. I guess you have to upgrade, starting from your distro that is also quite dated.


Regards
 
Old 02-03-2012, 05:14 AM   #15
j.smith1981
Member
 
Registered: Feb 2009
Distribution: Mainly CentOS6.4 x64
Posts: 161

Original Poster
Rep: Reputation: 1
Yes that's what I wanted to try out to see if I can get working, start off with one and then go to another and see if I can get that working with respect to sub domains I mean eventually saying I have 2 subdomains for my first domain.

Then using a seperate Cert for both, then having another domain with their Certificate and so on, just as an example to myself for my own skill set, always been interested in network encryption.

Yea I keep meaning to upgrade might ask on the CentOS forums to see if that distro has been included infact might look through the repos to see if it is and if so make a plan perhaps tonight to upgrade it.

Yes this might mean a reason to actually upgrade it, kept putting it off and putting it off, or perhaps have a go at installing Apache myself, hmm thinking about it at least.

Never the less thank you ever so much for your help, I didn't realise how easy it is to setup SSL, was interested in what TLS meant but it's really about encrypting data sent across a network is not it? (please correct me if I am wrong).

Really interesting anyways, I mean I could use other work arounds if I look around on the web also, will see what I can do.

Thanks again,
Jeremy.

Last edited by j.smith1981; 02-03-2012 at 05:16 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache site redirects using what rule? foo.site.com -> www.site.com/foo LaughingBoy Linux - Server 2 04-16-2009 09:51 PM
SSL and subdomain problem Wim Sturkenboom Linux - Server 3 07-02-2007 06:33 AM
listen audio sample from www.allmusic.com ... MargNat Linux - Software 3 05-27-2007 11:44 AM


All times are GMT -5. The time now is 04:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration