LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   ssl.conf and multiple ssl certificastes on Apache (https://www.linuxquestions.org/questions/linux-server-73/ssl-conf-and-multiple-ssl-certificastes-on-apache-799955/)

kaoticsnow 04-04-2010 12:45 PM

ssl.conf and multiple ssl certificastes on Apache
 
I'm trying to set up a 2nd SSL cert on a different domain on a server, each domain has its own IP address, the problem is the Web developer that configured the first domain specified ssl keys for the primary domain in both the vhost config in httpd.conf AND in the ssl.conf config files. If I attempt to remove the keys form ssl.conf the server will not start up. and with them there It will not start up if I specify keys for the secondary domain. any ideas would be much apreciated.

ssl.conf
Code:

LoadModule ssl_module modules/mod_ssl.so
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/primary.com.key
SSLCertificateChainFile /etc/pki/tls/certs/primary_gd_bundle.crt


bathory 04-04-2010 02:31 PM

Hi,

In general you can setup an IP based ssl vhost like this:
<VirtualHost 1.1.1.1:443>
ServerName vhost1.domain.com
DocumentRoot /path/to/vhost1/docroot
...
SSLEngine on
SSLCertificateFile /path/to/certs/vhost1.crt
SSLCertificateKeyFile /path/to/certs/vhost1.key
...
</VirtualHost>
I guess you cannot remove the keys from ssl.conf, because the existing vhost is the default one, but without ssl.conf and httpd.conf (or at least the relevant parts of them) we cannot tell for sure.
You should take a look at error_log for details.

kaoticsnow 04-04-2010 02:40 PM

Quote:

Originally Posted by bathory (Post 3923976)
without ssl.conf and httpd.conf (or at least the relevant parts of them) we cannot tell for sure.
You should take a look at error_log for details.

I've looked at the error log and its simply complaining about not finding the keys for the primary domain when I remove them from ssl.conf which confuses me because they are defined in httpd.conf, which portions of each confings do you need to see I'll grab them and post them, (after stripping sensitive information).

bathory 04-04-2010 03:07 PM

As a start, post the existing vhost definition, the ssl related stuff in httpd.conf and the ssl.conf.

kaoticsnow 04-04-2010 10:40 PM

Quote:

<VirtualHost xx.xx.xx.1:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/primary.key
SSLCertificateChainFile /etc/pki/tls/certs/primary_gd_bundle.crt
<Directory /var/www/sites/primary.com>
AllowOverride All
</Directory>
DocumentRoot /var/www/sites/primary.com
ServerName primary.com
DirectoryIndex "index.php"
</VirtualHost>

<VirtualHost xx.xx.xx.2:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/secondary.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/secondary.key
SSLCertificateChainFile /etc/pki/tls/certs/secondary_gd_bundle.crt
<Directory /var/www/sites/secondary.com>
AllowOverride All
</Directory>
DocumentRoot /var/www/sites/secondary.com
ServerName secondary.com
DirectoryIndex "index.php"
</VirtualHost>
If I comment out the code in ssl.conf where the web guy specified the primary domains keys I can run a config check and it says its okay

Quote:

LoadModule ssl_module modules/mod_ssl.so
#SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
#SSLCertificateKeyFile /etc/pki/tls/certs/primary.com.key
#SSLCertificateChainFile /etc/pki/tls/certs/primary_gd_bundle.crt
Quote:

[web01:~]$ apachectl -t (04-04 19:34)
Syntax OK
But appache will fail to start unless I uncomment the key files again.

bathory 04-05-2010 04:43 AM

Hi,

Do the 2 vhosts work when you leave uncommented the sslcertificate directives in ssl.conf?
Is this snippet, defining the 2 vhosts inside httpd.conf?
Have you tried moving the ssl vhosts part into ssl.conf?
This is at least, how ssl vhosts are defined in my apache.

kaoticsnow 04-05-2010 12:21 PM

Quote:

Originally Posted by bathory (Post 3924545)
Hi,

Do the 2 vhosts work when you leave uncommented the sslcertificate directives in ssl.conf?
Is this snippet, defining the 2 vhosts inside httpd.conf?
Have you tried moving the ssl vhosts part into ssl.conf?
This is at least, how ssl vhosts are defined in my apache.

Not when I have the primary key's defended in ssl.conf I'll try moving the vhost to ssl.conf and see what happens.

gumaheru 04-05-2010 12:43 PM

The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.

kaoticsnow 04-05-2010 01:05 PM

Quote:

Originally Posted by gumaheru (Post 3924973)
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.

Thanks for pointing that out! I think that might be it, going to play with it now and try it out.

I just attempted bathory's suggestion of moving the vhost definitions into the ssl.conf file but upon a reload of httpd it reloaded successfully and the site stopped working, this was in the error log after the reload, I restored original files and restarted the server to get everything back working.

Code:

[Mon Apr 05 09:54:32 2010] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

kaoticsnow 04-05-2010 01:13 PM

Quote:

Originally Posted by gumaheru (Post 3924973)
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.

one more question before I start modifying this, I was thinking this was just default settings and anything not defined here httpd would accept the values defined in httpd.conf am I mistaken in assuming this? if I get rid of it should I move over the relevant variables which are not defined in httpd.conf, such as error log locations? Thanks again!

bathory 04-05-2010 02:17 PM

I think that the current apache configuration does not support IP-based vhosts
What is the output of:
Code:

apachectl -S

kaoticsnow 04-05-2010 02:40 PM

Quote:

Originally Posted by bathory (Post 3925094)
I think that the current apache configuration does not support IP-based vhosts
What is the output of:
Code:

apachectl -S

Strange when running that I get

Code:

Syntax error on line 13 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/primary.com.crt' does not exist or is empty

but its working on the primary domain, then again this is all also specified under the vhost in httpd.conf, also I have the IP based vhost working, you can go to primary.com and secondary.com and they pages pull up fine, however only https://primary.com is working I cant get ssl working on secondary.com

(obviously I'm swapping actual domain names with primary and secondary)

bathory 04-05-2010 02:56 PM

Are you sure that both httpd.conf and ssl.conf use the same SSLCertificateFile (/etc/pki/tls/certs/primary.com.crt) and that the apache user can read the certificate?
Code:

ls -l /etc/pki/tls/certs/primary.com.crt
Also what gives
Code:

openssl verify /etc/pki/tls/certs/primary.com.crt

kaoticsnow 04-05-2010 03:39 PM

Quote:

Originally Posted by bathory (Post 3925149)
Are you sure that both httpd.conf and ssl.conf use the same SSLCertificateFile (/etc/pki/tls/certs/primary.com.crt) and that the apache user can read the certificate?
Code:

ls -l /etc/pki/tls/certs/primary.com.crt

Code:

web01 ~ # grep SSLCertificateFile /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt

web01 ~ # grep SSLCertificateFile /etc/httpd/conf/httpd.conf
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt

Quote:

Also what gives
Code:

openssl verify /etc/pki/tls/certs/primary.com.crt

Code:

web01 ~ # openssl verify /etc/pki/tls/certs/primary.com.crt
/etc/pki/tls/certs/primary.com.crt: /O=www.primary.com/OU=Domain Control Validated/CN=www.primary.com
error 20 at 0 depth lookup:unable to get local issuer certificate


bathory 04-05-2010 06:13 PM

You didn't post the output of
Quote:

ls -l /etc/pki/tls/certs/primary.com.crt
Anyway the certificate looks ok, so I guess it's something else. Maybe a SELinux problem.
What distro are you using and what apache version?
If you comment out the 2 ssl lines from ssl.conf what gives "apachectl -S"?


All times are GMT -5. The time now is 08:22 AM.