LinuxQuestions.org
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   ssl.conf and multiple ssl certificastes on Apache (https://www.linuxquestions.org/questions/linux-server-73/ssl-conf-and-multiple-ssl-certificastes-on-apache-799955/)

kaoticsnow 04-05-2010 11:47 PM
Server version: Apache/2.2.3
Server built: Mar 27 2010 13:52:09

and I'm running CentOS 5

Code:
ls -l /etc/pki/tls/certs/primary.com.crt
-rwxr-xr-x 1 apache apache 1931 Jan  8 22:56 /etc/pki/tls/certs/primary.com.crt
Thanks again for all the help you guys have been giving =D

Also selinux is disabled.

bathory 04-06-2010 03:34 AM
I'm not familiar with Centos, so cannot tell what's wrong with your setup.
Reading the documentation here and here, I saw that it uses the key/cert files in both the main and the vhost part of the configuration. I guess this is done because it somehow it defines a default ssl vhost.

Are you sure you don't have a _default_server (or wildcard server "*:443) that needs the certificates be in /etc/pki/tls/certs.
Without the output of "apachectl -S", we cannot be sure if that's the case. You can check the *.conf files for something like: "<Virtualhost _default_:443>" or "<VirtualHost *.443>

Regards

kaoticsnow 04-06-2010 12:35 PM
There is a default section in ssl.conf, here is what my ssl.conf contains: http://pastebin.com/33Z3mP6p pretty much the default I'm pretty sure all the guy before me did was add the key files here. also after commenting out the files I get the following with apachectl -S

Code:
VirtualHost configuration:
<primaryIP>:443    primary.com (/etc/httpd/conf/httpd.conf:1041)
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
        default server web01.primary.com (/etc/httpd/conf.d/ssl.conf:84)
        port 443 namevhost web01.primary.com (/etc/httpd/conf.d/ssl.conf:84)
*:80                  is a NameVirtualHost
        default server primary.com (/etc/httpd/conf/httpd.conf:1021)
        port 80 namevhost primary.com (/etc/httpd/conf/httpd.conf:1021)
        port 80 namevhost secondary.com (/etc/httpd/conf/httpd.conf:1030)
        port 80 namevhost dev.primary.com (/etc/httpd/conf/httpd.conf:1069)
        port 80 namevhost prod.primary.com (/etc/httpd/conf/httpd.conf:1081)
Syntax OK
I subbed out the actual IP with <primaryIP>

kaoticsnow 04-06-2010 12:41 PM
Also I have to add the 2nd SSL vhost is not configured since apache will not even start with it configured, thats why you only see the primary in the above output.

bathory 04-06-2010 01:04 PM
Quote:
*:443 is a NameVirtualHost
This is not what you want.
You want an IP-based vhost.
Remove the
Code:
NameVirtualHost *.443
and use the code for ip-based vhosts as in your previous posts.
Also better replace
Quote:
<VirtualHost _default_:443>
with
Code:
<VirtualHost x.x.x.1:443>

kaoticsnow 04-07-2010 08:41 PM
Still not getting the server to start with the 2nd ssl,

I did not create the ssl certs, the web developer did, I killed the server, added configuration for the secondary domain and fired the server up, I got the following printed to the error_log, this seams to me like and issue with the keys... am I correct in assuming this?

Code:
[Wed Apr 07 18:36:53 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Apr 07 18:36:53 2010] [warn] RSA server certificate CommonName (CN) `www.secondary.com' does NOT match server name!?
[Wed Apr 07 18:36:53 2010] [error] Unable to configure RSA server private key
[Wed Apr 07 18:36:53 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

bathory 04-08-2010 12:33 AM
Yup, that means that the vhost2 certificate and key do not match.
You can run
Code:
openssl x509 -noout -text -in /etc/pki/tls/certs/secondary.com.crt -modulus
openssl rsa -noout -text -in /etc/pki/tls/certs/secondary.key -modulus
and compare the 2 modulus parts.

I guess this is a self-signed certificate, so you can create a new one, using the server key.
If you do so, make sure also that the CN used matches the vhost2 ServerName, so you don't get the warning about
Quote:
[Wed Apr 07 18:36:53 2010] [warn] RSA server certificate CommonName (CN) `www.secondary.com' does NOT match server name!?

kaoticsnow 04-08-2010 11:52 PM
Thanks for the help! I figured out the problem, it was the last line of the below segment, that SSLEngine was uncommented, when the default template had the SSLEngine set to on it needed a default cert. once I turned that off I was able to comment out the cert the web developer added in the head of the ssl.conf file and specify the 2nd vhost for ssl in httpd.conf. =)

Code:
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#  SSL Engine Switch:
#  Enable/Disable SSL for this virtual host.
#  SSLEngine on


All times are GMT -5. The time now is 04:27 PM.
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page