ssl.conf and multiple ssl certificastes on Apache
I'm trying to set up a 2nd SSL cert on a different domain on a server, each domain has its own IP address, the problem is the Web developer that configured the first domain specified ssl keys for the primary domain in both the vhost config in httpd.conf AND in the ssl.conf config files. If I attempt to remove the keys form ssl.conf the server will not start up. and with them there It will not start up if I specify keys for the secondary domain. any ideas would be much apreciated.
ssl.conf Code:
LoadModule ssl_module modules/mod_ssl.so |
Hi,
In general you can setup an IP based ssl vhost like this: <VirtualHost 1.1.1.1:443> ServerName vhost1.domain.com DocumentRoot /path/to/vhost1/docroot ... SSLEngine on SSLCertificateFile /path/to/certs/vhost1.crt SSLCertificateKeyFile /path/to/certs/vhost1.key ... </VirtualHost> I guess you cannot remove the keys from ssl.conf, because the existing vhost is the default one, but without ssl.conf and httpd.conf (or at least the relevant parts of them) we cannot tell for sure. You should take a look at error_log for details. |
Quote:
|
As a start, post the existing vhost definition, the ssl related stuff in httpd.conf and the ssl.conf.
|
Quote:
Quote:
Quote:
|
Hi,
Do the 2 vhosts work when you leave uncommented the sslcertificate directives in ssl.conf? Is this snippet, defining the 2 vhosts inside httpd.conf? Have you tried moving the ssl vhosts part into ssl.conf? This is at least, how ssl vhosts are defined in my apache. |
Quote:
|
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
|
Quote:
I just attempted bathory's suggestion of moving the vhost definitions into the ssl.conf file but upon a reload of httpd it reloaded successfully and the site stopped working, this was in the error log after the reload, I restored original files and restarted the server to get everything back working. Code:
[Mon Apr 05 09:54:32 2010] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] |
Quote:
|
I think that the current apache configuration does not support IP-based vhosts
What is the output of: Code:
apachectl -S |
Quote:
Code:
Syntax error on line 13 of /etc/httpd/conf.d/ssl.conf: (obviously I'm swapping actual domain names with primary and secondary) |
Are you sure that both httpd.conf and ssl.conf use the same SSLCertificateFile (/etc/pki/tls/certs/primary.com.crt) and that the apache user can read the certificate?
Code:
ls -l /etc/pki/tls/certs/primary.com.crt Code:
openssl verify /etc/pki/tls/certs/primary.com.crt |
Quote:
Code:
web01 ~ # grep SSLCertificateFile /etc/httpd/conf.d/ssl.conf Quote:
Code:
web01 ~ # openssl verify /etc/pki/tls/certs/primary.com.crt |
You didn't post the output of
Quote:
What distro are you using and what apache version? If you comment out the 2 ssl lines from ssl.conf what gives "apachectl -S"? |
Server version: Apache/2.2.3
Server built: Mar 27 2010 13:52:09 and I'm running CentOS 5 Code:
ls -l /etc/pki/tls/certs/primary.com.crt Also selinux is disabled. |
I'm not familiar with Centos, so cannot tell what's wrong with your setup.
Reading the documentation here and here, I saw that it uses the key/cert files in both the main and the vhost part of the configuration. I guess this is done because it somehow it defines a default ssl vhost. Are you sure you don't have a _default_server (or wildcard server "*:443) that needs the certificates be in /etc/pki/tls/certs. Without the output of "apachectl -S", we cannot be sure if that's the case. You can check the *.conf files for something like: "<Virtualhost _default_:443>" or "<VirtualHost *.443> Regards |
There is a default section in ssl.conf, here is what my ssl.conf contains: http://pastebin.com/33Z3mP6p pretty much the default I'm pretty sure all the guy before me did was add the key files here. also after commenting out the files I get the following with apachectl -S
Code:
VirtualHost configuration: |
Also I have to add the 2nd SSL vhost is not configured since apache will not even start with it configured, thats why you only see the primary in the above output.
|
Quote:
You want an IP-based vhost. Remove the Code:
NameVirtualHost *.443 Also better replace Quote:
Code:
<VirtualHost x.x.x.1:443> |
Still not getting the server to start with the 2nd ssl,
I did not create the ssl certs, the web developer did, I killed the server, added configuration for the secondary domain and fired the server up, I got the following printed to the error_log, this seams to me like and issue with the keys... am I correct in assuming this? Code:
[Wed Apr 07 18:36:53 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) |
Yup, that means that the vhost2 certificate and key do not match.
You can run Code:
openssl x509 -noout -text -in /etc/pki/tls/certs/secondary.com.crt -modulus I guess this is a self-signed certificate, so you can create a new one, using the server key. If you do so, make sure also that the CN used matches the vhost2 ServerName, so you don't get the warning about Quote:
|
Thanks for the help! I figured out the problem, it was the last line of the below segment, that SSLEngine was uncommented, when the default template had the SSLEngine set to on it needed a default cert. once I turned that off I was able to comment out the cert the web developer added in the head of the ssl.conf file and specify the 2nd vhost for ssl in httpd.conf. =)
Code:
<VirtualHost _default_:443> |
All times are GMT -5. The time now is 04:32 AM. |