LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-05-2010, 11:47 PM   #16
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0

Server version: Apache/2.2.3
Server built: Mar 27 2010 13:52:09

and I'm running CentOS 5

Code:
ls -l /etc/pki/tls/certs/primary.com.crt
-rwxr-xr-x 1 apache apache 1931 Jan  8 22:56 /etc/pki/tls/certs/primary.com.crt
Thanks again for all the help you guys have been giving =D

Also selinux is disabled.

Last edited by kaoticsnow; 04-06-2010 at 01:30 AM.
 
Old 04-06-2010, 03:34 AM   #17
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,937

Rep: Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330
I'm not familiar with Centos, so cannot tell what's wrong with your setup.
Reading the documentation here and here, I saw that it uses the key/cert files in both the main and the vhost part of the configuration. I guess this is done because it somehow it defines a default ssl vhost.

Are you sure you don't have a _default_server (or wildcard server "*:443) that needs the certificates be in /etc/pki/tls/certs.
Without the output of "apachectl -S", we cannot be sure if that's the case. You can check the *.conf files for something like: "<Virtualhost _default_:443>" or "<VirtualHost *.443>

Regards
 
Old 04-06-2010, 12:35 PM   #18
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
There is a default section in ssl.conf, here is what my ssl.conf contains: http://pastebin.com/33Z3mP6p pretty much the default I'm pretty sure all the guy before me did was add the key files here. also after commenting out the files I get the following with apachectl -S

Code:
VirtualHost configuration:
<primaryIP>:443     primary.com (/etc/httpd/conf/httpd.conf:1041)
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server web01.primary.com (/etc/httpd/conf.d/ssl.conf:84)
         port 443 namevhost web01.primary.com (/etc/httpd/conf.d/ssl.conf:84)
*:80                   is a NameVirtualHost
         default server primary.com (/etc/httpd/conf/httpd.conf:1021)
         port 80 namevhost primary.com (/etc/httpd/conf/httpd.conf:1021)
         port 80 namevhost secondary.com (/etc/httpd/conf/httpd.conf:1030)
         port 80 namevhost dev.primary.com (/etc/httpd/conf/httpd.conf:1069)
         port 80 namevhost prod.primary.com (/etc/httpd/conf/httpd.conf:1081)
Syntax OK
I subbed out the actual IP with <primaryIP>
 
Old 04-06-2010, 12:41 PM   #19
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Also I have to add the 2nd SSL vhost is not configured since apache will not even start with it configured, thats why you only see the primary in the above output.
 
Old 04-06-2010, 01:04 PM   #20
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,937

Rep: Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330
Quote:
*:443 is a NameVirtualHost
This is not what you want.
You want an IP-based vhost.
Remove the
Code:
NameVirtualHost *.443
and use the code for ip-based vhosts as in your previous posts.
Also better replace
Quote:
<VirtualHost _default_:443>
with
Code:
<VirtualHost x.x.x.1:443>
 
Old 04-07-2010, 08:41 PM   #21
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Still not getting the server to start with the 2nd ssl,

I did not create the ssl certs, the web developer did, I killed the server, added configuration for the secondary domain and fired the server up, I got the following printed to the error_log, this seams to me like and issue with the keys... am I correct in assuming this?

Code:
[Wed Apr 07 18:36:53 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Apr 07 18:36:53 2010] [warn] RSA server certificate CommonName (CN) `www.secondary.com' does NOT match server name!?
[Wed Apr 07 18:36:53 2010] [error] Unable to configure RSA server private key
[Wed Apr 07 18:36:53 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
 
Old 04-08-2010, 12:33 AM   #22
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,937

Rep: Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330
Yup, that means that the vhost2 certificate and key do not match.
You can run
Code:
openssl x509 -noout -text -in /etc/pki/tls/certs/secondary.com.crt -modulus
openssl rsa -noout -text -in /etc/pki/tls/certs/secondary.key -modulus
and compare the 2 modulus parts.

I guess this is a self-signed certificate, so you can create a new one, using the server key.
If you do so, make sure also that the CN used matches the vhost2 ServerName, so you don't get the warning about
Quote:
[Wed Apr 07 18:36:53 2010] [warn] RSA server certificate CommonName (CN) `www.secondary.com' does NOT match server name!?
 
Old 04-08-2010, 11:52 PM   #23
kaoticsnow
Member
 
Registered: Apr 2010
Posts: 35

Original Poster
Rep: Reputation: 0
Thanks for the help! I figured out the problem, it was the last line of the below segment, that SSLEngine was uncommented, when the default template had the SSLEngine set to on it needed a default cert. once I turned that off I was able to comment out the cert the web developer added in the head of the ssl.conf file and specify the 2nd vhost for ssl in httpd.conf. =)

Code:
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
#   SSLEngine on
 
  


Reply

Tags
apache, httpdconf, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible to use multiple SSL certs for same IP in Apache? jakev383 Linux - Server 3 09-03-2009 05:48 AM
need help regarding configuration of multiple ssl in one apache server ashishshukla Linux - Server 2 04-09-2009 06:35 AM
Apache Multiple SSL VirtualHosts richinsc Linux - Server 4 11-19-2008 11:38 PM
Apache 2.2.9 and httpd-ssl.conf Harvfive Linux - Server 2 10-15-2008 10:33 AM
Apache 2 - Multiple SSL Vhosts msound Linux - Server 6 04-04-2008 02:04 AM


All times are GMT -5. The time now is 08:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration