Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
04-04-2010, 12:45 PM
|
#1
|
Member
Registered: Apr 2010
Posts: 35
Rep:
|
ssl.conf and multiple ssl certificastes on Apache
I'm trying to set up a 2nd SSL cert on a different domain on a server, each domain has its own IP address, the problem is the Web developer that configured the first domain specified ssl keys for the primary domain in both the vhost config in httpd.conf AND in the ssl.conf config files. If I attempt to remove the keys form ssl.conf the server will not start up. and with them there It will not start up if I specify keys for the secondary domain. any ideas would be much apreciated.
ssl.conf
Code:
LoadModule ssl_module modules/mod_ssl.so
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/primary.com.key
SSLCertificateChainFile /etc/pki/tls/certs/primary_gd_bundle.crt
|
|
|
04-04-2010, 02:31 PM
|
#2
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,215
|
Hi,
In general you can setup an IP based ssl vhost like this:
<VirtualHost 1.1.1.1:443>
ServerName vhost1.domain.com
DocumentRoot /path/to/vhost1/docroot
...
SSLEngine on
SSLCertificateFile /path/to/certs/vhost1.crt
SSLCertificateKeyFile /path/to/certs/vhost1.key
...
</VirtualHost>
I guess you cannot remove the keys from ssl.conf, because the existing vhost is the default one, but without ssl.conf and httpd.conf (or at least the relevant parts of them) we cannot tell for sure.
You should take a look at error_log for details.
|
|
|
04-04-2010, 02:40 PM
|
#3
|
Member
Registered: Apr 2010
Posts: 35
Original Poster
Rep:
|
Quote:
Originally Posted by bathory
without ssl.conf and httpd.conf (or at least the relevant parts of them) we cannot tell for sure.
You should take a look at error_log for details.
|
I've looked at the error log and its simply complaining about not finding the keys for the primary domain when I remove them from ssl.conf which confuses me because they are defined in httpd.conf, which portions of each confings do you need to see I'll grab them and post them, (after stripping sensitive information).
|
|
|
04-04-2010, 03:07 PM
|
#4
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,215
|
As a start, post the existing vhost definition, the ssl related stuff in httpd.conf and the ssl.conf.
|
|
|
04-04-2010, 10:40 PM
|
#5
|
Member
Registered: Apr 2010
Posts: 35
Original Poster
Rep:
|
Quote:
<VirtualHost xx.xx.xx.1:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/primary.key
SSLCertificateChainFile /etc/pki/tls/certs/primary_gd_bundle.crt
<Directory /var/www/sites/primary.com>
AllowOverride All
</Directory>
DocumentRoot /var/www/sites/primary.com
ServerName primary.com
DirectoryIndex "index.php"
</VirtualHost>
<VirtualHost xx.xx.xx.2:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/secondary.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/secondary.key
SSLCertificateChainFile /etc/pki/tls/certs/secondary_gd_bundle.crt
<Directory /var/www/sites/secondary.com>
AllowOverride All
</Directory>
DocumentRoot /var/www/sites/secondary.com
ServerName secondary.com
DirectoryIndex "index.php"
</VirtualHost>
|
If I comment out the code in ssl.conf where the web guy specified the primary domains keys I can run a config check and it says its okay
Quote:
LoadModule ssl_module modules/mod_ssl.so
#SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
#SSLCertificateKeyFile /etc/pki/tls/certs/primary.com.key
#SSLCertificateChainFile /etc/pki/tls/certs/primary_gd_bundle.crt
|
Quote:
[web01:~]$ apachectl -t (04-04 19:34)
Syntax OK
|
But appache will fail to start unless I uncomment the key files again.
|
|
|
04-05-2010, 04:43 AM
|
#6
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,215
|
Hi,
Do the 2 vhosts work when you leave uncommented the sslcertificate directives in ssl.conf?
Is this snippet, defining the 2 vhosts inside httpd.conf?
Have you tried moving the ssl vhosts part into ssl.conf?
This is at least, how ssl vhosts are defined in my apache.
|
|
|
04-05-2010, 12:21 PM
|
#7
|
Member
Registered: Apr 2010
Posts: 35
Original Poster
Rep:
|
Quote:
Originally Posted by bathory
Hi,
Do the 2 vhosts work when you leave uncommented the sslcertificate directives in ssl.conf?
Is this snippet, defining the 2 vhosts inside httpd.conf?
Have you tried moving the ssl vhosts part into ssl.conf?
This is at least, how ssl vhosts are defined in my apache.
|
Not when I have the primary key's defended in ssl.conf I'll try moving the vhost to ssl.conf and see what happens.
|
|
|
04-05-2010, 12:43 PM
|
#8
|
LQ Newbie
Registered: Nov 2009
Posts: 20
Rep:
|
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
|
|
|
04-05-2010, 01:05 PM
|
#9
|
Member
Registered: Apr 2010
Posts: 35
Original Poster
Rep:
|
Quote:
Originally Posted by gumaheru
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
|
Thanks for pointing that out! I think that might be it, going to play with it now and try it out.
I just attempted bathory's suggestion of moving the vhost definitions into the ssl.conf file but upon a reload of httpd it reloaded successfully and the site stopped working, this was in the error log after the reload, I restored original files and restarted the server to get everything back working.
Code:
[Mon Apr 05 09:54:32 2010] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]
|
|
|
04-05-2010, 01:13 PM
|
#10
|
Member
Registered: Apr 2010
Posts: 35
Original Poster
Rep:
|
Quote:
Originally Posted by gumaheru
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
|
one more question before I start modifying this, I was thinking this was just default settings and anything not defined here httpd would accept the values defined in httpd.conf am I mistaken in assuming this? if I get rid of it should I move over the relevant variables which are not defined in httpd.conf, such as error log locations? Thanks again!
|
|
|
04-05-2010, 02:17 PM
|
#11
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,215
|
I think that the current apache configuration does not support IP-based vhosts
What is the output of:
|
|
|
04-05-2010, 02:40 PM
|
#12
|
Member
Registered: Apr 2010
Posts: 35
Original Poster
Rep:
|
Quote:
Originally Posted by bathory
I think that the current apache configuration does not support IP-based vhosts
What is the output of:
|
Strange when running that I get
Code:
Syntax error on line 13 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/primary.com.crt' does not exist or is empty
but its working on the primary domain, then again this is all also specified under the vhost in httpd.conf, also I have the IP based vhost working, you can go to primary.com and secondary.com and they pages pull up fine, however only https://primary.com is working I cant get ssl working on secondary.com
(obviously I'm swapping actual domain names with primary and secondary)
|
|
|
04-05-2010, 02:56 PM
|
#13
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,215
|
Are you sure that both httpd.conf and ssl.conf use the same SSLCertificateFile (/etc/pki/tls/certs/primary.com.crt) and that the apache user can read the certificate?
Code:
ls -l /etc/pki/tls/certs/primary.com.crt
Also what gives
Code:
openssl verify /etc/pki/tls/certs/primary.com.crt
|
|
|
04-05-2010, 03:39 PM
|
#14
|
Member
Registered: Apr 2010
Posts: 35
Original Poster
Rep:
|
Quote:
Originally Posted by bathory
Are you sure that both httpd.conf and ssl.conf use the same SSLCertificateFile (/etc/pki/tls/certs/primary.com.crt) and that the apache user can read the certificate?
Code:
ls -l /etc/pki/tls/certs/primary.com.crt
|
Code:
web01 ~ # grep SSLCertificateFile /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
web01 ~ # grep SSLCertificateFile /etc/httpd/conf/httpd.conf
SSLCertificateFile /etc/pki/tls/certs/primary.com.crt
Quote:
Also what gives
Code:
openssl verify /etc/pki/tls/certs/primary.com.crt
|
Code:
web01 ~ # openssl verify /etc/pki/tls/certs/primary.com.crt
/etc/pki/tls/certs/primary.com.crt: /O=www.primary.com/OU=Domain Control Validated/CN=www.primary.com
error 20 at 0 depth lookup:unable to get local issuer certificate
|
|
|
04-05-2010, 06:13 PM
|
#15
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,215
|
You didn't post the output of
Quote:
ls -l /etc/pki/tls/certs/primary.com.crt
|
Anyway the certificate looks ok, so I guess it's something else. Maybe a SELinux problem.
What distro are you using and what apache version?
If you comment out the 2 ssl lines from ssl.conf what gives "apachectl -S"?
|
|
|
All times are GMT -5. The time now is 09:38 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|