LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-04-2010, 12:45 PM   #1
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Rep: Reputation: 0
ssl.conf and multiple ssl certificastes on Apache


I'm trying to set up a 2nd SSL cert on a different domain on a server, each domain has its own IP address, the problem is the Web developer that configured the first domain specified ssl keys for the primary domain in both the vhost config in httpd.conf AND in the ssl.conf config files. If I attempt to remove the keys form ssl.conf the server will not start up. and with them there It will not start up if I specify keys for the secondary domain. any ideas would be much apreciated.

ssl.conf
Code:
LoadModule ssl_module modules/mod_ssl.so
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/primary.com.key 
SSLCertificateChainFile /etc/pki/tls/certs/primary_gd_bundle.crt
 
Old 04-04-2010, 02:31 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,961

Rep: Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341
Hi,

In general you can setup an IP based ssl vhost like this:
<VirtualHost 1.1.1.1:443>
ServerName vhost1.domain.com
DocumentRoot /path/to/vhost1/docroot
...
SSLEngine on
SSLCertificateFile /path/to/certs/vhost1.crt
SSLCertificateKeyFile /path/to/certs/vhost1.key
...
</VirtualHost>
I guess you cannot remove the keys from ssl.conf, because the existing vhost is the default one, but without ssl.conf and httpd.conf (or at least the relevant parts of them) we cannot tell for sure.
You should take a look at error_log for details.
 
Old 04-04-2010, 02:40 PM   #3
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by bathory View Post
without ssl.conf and httpd.conf (or at least the relevant parts of them) we cannot tell for sure.
You should take a look at error_log for details.
I've looked at the error log and its simply complaining about not finding the keys for the primary domain when I remove them from ssl.conf which confuses me because they are defined in httpd.conf, which portions of each confings do you need to see I'll grab them and post them, (after stripping sensitive information).
 
Old 04-04-2010, 03:07 PM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,961

Rep: Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341
As a start, post the existing vhost definition, the ssl related stuff in httpd.conf and the ssl.conf.
 
Old 04-04-2010, 10:40 PM   #5
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Quote:
<VirtualHost xx.xx.xx.1:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/primary.key
SSLCertificateChainFile /etc/pki/tls/certs/primary_gd_bundle.crt
<Directory /var/www/sites/primary.com>
AllowOverride All
</Directory>
DocumentRoot /var/www/sites/primary.com
ServerName primary.com
DirectoryIndex "index.php"
</VirtualHost>

<VirtualHost xx.xx.xx.2:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/secondary.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/secondary.key
SSLCertificateChainFile /etc/pki/tls/certs/secondary_gd_bundle.crt
<Directory /var/www/sites/secondary.com>
AllowOverride All
</Directory>
DocumentRoot /var/www/sites/secondary.com
ServerName secondary.com
DirectoryIndex "index.php"
</VirtualHost>
If I comment out the code in ssl.conf where the web guy specified the primary domains keys I can run a config check and it says its okay

Quote:
LoadModule ssl_module modules/mod_ssl.so
#SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
#SSLCertificateKeyFile /etc/pki/tls/certs/primary.com.key
#SSLCertificateChainFile /etc/pki/tls/certs/primary_gd_bundle.crt
Quote:
[web01:~]$ apachectl -t (04-04 19:34)
Syntax OK
But appache will fail to start unless I uncomment the key files again.
 
Old 04-05-2010, 04:43 AM   #6
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,961

Rep: Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341
Hi,

Do the 2 vhosts work when you leave uncommented the sslcertificate directives in ssl.conf?
Is this snippet, defining the 2 vhosts inside httpd.conf?
Have you tried moving the ssl vhosts part into ssl.conf?
This is at least, how ssl vhosts are defined in my apache.
 
Old 04-05-2010, 12:21 PM   #7
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by bathory View Post
Hi,

Do the 2 vhosts work when you leave uncommented the sslcertificate directives in ssl.conf?
Is this snippet, defining the 2 vhosts inside httpd.conf?
Have you tried moving the ssl vhosts part into ssl.conf?
This is at least, how ssl vhosts are defined in my apache.
Not when I have the primary key's defended in ssl.conf I'll try moving the vhost to ssl.conf and see what happens.
 
Old 04-05-2010, 12:43 PM   #8
gumaheru
LQ Newbie
 
Registered: Nov 2009
Posts: 20

Rep: Reputation: 0
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
 
Old 04-05-2010, 01:05 PM   #9
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gumaheru View Post
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
Thanks for pointing that out! I think that might be it, going to play with it now and try it out.

I just attempted bathory's suggestion of moving the vhost definitions into the ssl.conf file but upon a reload of httpd it reloaded successfully and the site stopped working, this was in the error log after the reload, I restored original files and restarted the server to get everything back working.

Code:
[Mon Apr 05 09:54:32 2010] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]
 
Old 04-05-2010, 01:13 PM   #10
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by gumaheru View Post
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
one more question before I start modifying this, I was thinking this was just default settings and anything not defined here httpd would accept the values defined in httpd.conf am I mistaken in assuming this? if I get rid of it should I move over the relevant variables which are not defined in httpd.conf, such as error log locations? Thanks again!
 
Old 04-05-2010, 02:17 PM   #11
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,961

Rep: Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341
I think that the current apache configuration does not support IP-based vhosts
What is the output of:
Code:
apachectl -S
 
Old 04-05-2010, 02:40 PM   #12
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by bathory View Post
I think that the current apache configuration does not support IP-based vhosts
What is the output of:
Code:
apachectl -S
Strange when running that I get

Code:
Syntax error on line 13 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/primary.com.crt' does not exist or is empty
but its working on the primary domain, then again this is all also specified under the vhost in httpd.conf, also I have the IP based vhost working, you can go to primary.com and secondary.com and they pages pull up fine, however only https://primary.com is working I cant get ssl working on secondary.com

(obviously I'm swapping actual domain names with primary and secondary)
 
Old 04-05-2010, 02:56 PM   #13
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,961

Rep: Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341
Are you sure that both httpd.conf and ssl.conf use the same SSLCertificateFile (/etc/pki/tls/certs/primary.com.crt) and that the apache user can read the certificate?
Code:
ls -l /etc/pki/tls/certs/primary.com.crt
Also what gives
Code:
openssl verify /etc/pki/tls/certs/primary.com.crt
 
Old 04-05-2010, 03:39 PM   #14
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by bathory View Post
Are you sure that both httpd.conf and ssl.conf use the same SSLCertificateFile (/etc/pki/tls/certs/primary.com.crt) and that the apache user can read the certificate?
Code:
ls -l /etc/pki/tls/certs/primary.com.crt
Code:
web01 ~ # grep SSLCertificateFile /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt

web01 ~ # grep SSLCertificateFile /etc/httpd/conf/httpd.conf
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
Quote:
Also what gives
Code:
openssl verify /etc/pki/tls/certs/primary.com.crt
Code:
web01 ~ # openssl verify /etc/pki/tls/certs/primary.com.crt 
/etc/pki/tls/certs/primary.com.crt: /O=www.primary.com/OU=Domain Control Validated/CN=www.primary.com
error 20 at 0 depth lookup:unable to get local issuer certificate
 
Old 04-05-2010, 06:13 PM   #15
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,961

Rep: Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341
You didn't post the output of
Quote:
ls -l /etc/pki/tls/certs/primary.com.crt
Anyway the certificate looks ok, so I guess it's something else. Maybe a SELinux problem.
What distro are you using and what apache version?
If you comment out the 2 ssl lines from ssl.conf what gives "apachectl -S"?
 
  


Reply

Tags
apache, httpdconf, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible to use multiple SSL certs for same IP in Apache? jakev383 Linux - Server 3 09-03-2009 06:48 AM
need help regarding configuration of multiple ssl in one apache server ashishshukla Linux - Server 2 04-09-2009 07:35 AM
Apache Multiple SSL VirtualHosts richinsc Linux - Server 4 11-20-2008 12:38 AM
Apache 2.2.9 and httpd-ssl.conf Harvfive Linux - Server 2 10-15-2008 11:33 AM
Apache 2 - Multiple SSL Vhosts msound Linux - Server 6 04-04-2008 03:04 AM


All times are GMT -5. The time now is 09:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration