[SOLVED] ssl.conf and multiple ssl certificastes on Apache
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to set up a 2nd SSL cert on a different domain on a server, each domain has its own IP address, the problem is the Web developer that configured the first domain specified ssl keys for the primary domain in both the vhost config in httpd.conf AND in the ssl.conf config files. If I attempt to remove the keys form ssl.conf the server will not start up. and with them there It will not start up if I specify keys for the secondary domain. any ideas would be much apreciated.
In general you can setup an IP based ssl vhost like this:
<VirtualHost 1.1.1.1:443>
ServerName vhost1.domain.com
DocumentRoot /path/to/vhost1/docroot
...
SSLEngine on
SSLCertificateFile /path/to/certs/vhost1.crt
SSLCertificateKeyFile /path/to/certs/vhost1.key
...
</VirtualHost>
I guess you cannot remove the keys from ssl.conf, because the existing vhost is the default one, but without ssl.conf and httpd.conf (or at least the relevant parts of them) we cannot tell for sure.
You should take a look at error_log for details.
without ssl.conf and httpd.conf (or at least the relevant parts of them) we cannot tell for sure.
You should take a look at error_log for details.
I've looked at the error log and its simply complaining about not finding the keys for the primary domain when I remove them from ssl.conf which confuses me because they are defined in httpd.conf, which portions of each confings do you need to see I'll grab them and post them, (after stripping sensitive information).
Do the 2 vhosts work when you leave uncommented the sslcertificate directives in ssl.conf?
Is this snippet, defining the 2 vhosts inside httpd.conf?
Have you tried moving the ssl vhosts part into ssl.conf?
This is at least, how ssl vhosts are defined in my apache.
Do the 2 vhosts work when you leave uncommented the sslcertificate directives in ssl.conf?
Is this snippet, defining the 2 vhosts inside httpd.conf?
Have you tried moving the ssl vhosts part into ssl.conf?
This is at least, how ssl vhosts are defined in my apache.
Not when I have the primary key's defended in ssl.conf I'll try moving the vhost to ssl.conf and see what happens.
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
Thanks for pointing that out! I think that might be it, going to play with it now and try it out.
I just attempted bathory's suggestion of moving the vhost definitions into the ssl.conf file but upon a reload of httpd it reloaded successfully and the site stopped working, this was in the error log after the reload, I restored original files and restarted the server to get everything back working.
Code:
[Mon Apr 05 09:54:32 2010] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]
The ssl.conf file has a "VirtualHost" definition. If you want to comment out the keys portion in this file you need to comment out the whole "VirtualHost" definition. Comment from "<VirtualHost>" to "</VirtualHost>". I came across this issue lastweek when adding a SSL cert to a host that had a key previously defined by the last admin.
one more question before I start modifying this, I was thinking this was just default settings and anything not defined here httpd would accept the values defined in httpd.conf am I mistaken in assuming this? if I get rid of it should I move over the relevant variables which are not defined in httpd.conf, such as error log locations? Thanks again!
I think that the current apache configuration does not support IP-based vhosts
What is the output of:
Code:
apachectl -S
Strange when running that I get
Code:
Syntax error on line 13 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/primary.com.crt' does not exist or is empty
but its working on the primary domain, then again this is all also specified under the vhost in httpd.conf, also I have the IP based vhost working, you can go to primary.com and secondary.com and they pages pull up fine, however only https://primary.com is working I cant get ssl working on secondary.com
(obviously I'm swapping actual domain names with primary and secondary)
Are you sure that both httpd.conf and ssl.conf use the same SSLCertificateFile (/etc/pki/tls/certs/primary.com.crt) and that the apache user can read the certificate?
Are you sure that both httpd.conf and ssl.conf use the same SSLCertificateFile (/etc/pki/tls/certs/primary.com.crt) and that the apache user can read the certificate?
web01 ~ # openssl verify /etc/pki/tls/certs/primary.com.crt
/etc/pki/tls/certs/primary.com.crt: /O=www.primary.com/OU=Domain Control Validated/CN=www.primary.com
error 20 at 0 depth lookup:unable to get local issuer certificate
Anyway the certificate looks ok, so I guess it's something else. Maybe a SELinux problem.
What distro are you using and what apache version?
If you comment out the 2 ssl lines from ssl.conf what gives "apachectl -S"?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.