[SOLVED] ssl.conf and multiple ssl certificastes on Apache
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm not familiar with Centos, so cannot tell what's wrong with your setup.
Reading the documentation here and here, I saw that it uses the key/cert files in both the main and the vhost part of the configuration. I guess this is done because it somehow it defines a default ssl vhost.
Are you sure you don't have a _default_server (or wildcard server "*:443) that needs the certificates be in /etc/pki/tls/certs.
Without the output of "apachectl -S", we cannot be sure if that's the case. You can check the *.conf files for something like: "<Virtualhost _default_:443>" or "<VirtualHost *.443>
There is a default section in ssl.conf, here is what my ssl.conf contains: http://pastebin.com/33Z3mP6p pretty much the default I'm pretty sure all the guy before me did was add the key files here. also after commenting out the files I get the following with apachectl -S
Code:
VirtualHost configuration:
<primaryIP>:443 primary.com (/etc/httpd/conf/httpd.conf:1041)
wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server web01.primary.com (/etc/httpd/conf.d/ssl.conf:84)
port 443 namevhost web01.primary.com (/etc/httpd/conf.d/ssl.conf:84)
*:80 is a NameVirtualHost
default server primary.com (/etc/httpd/conf/httpd.conf:1021)
port 80 namevhost primary.com (/etc/httpd/conf/httpd.conf:1021)
port 80 namevhost secondary.com (/etc/httpd/conf/httpd.conf:1030)
port 80 namevhost dev.primary.com (/etc/httpd/conf/httpd.conf:1069)
port 80 namevhost prod.primary.com (/etc/httpd/conf/httpd.conf:1081)
Syntax OK
Also I have to add the 2nd SSL vhost is not configured since apache will not even start with it configured, thats why you only see the primary in the above output.
Still not getting the server to start with the 2nd ssl,
I did not create the ssl certs, the web developer did, I killed the server, added configuration for the secondary domain and fired the server up, I got the following printed to the error_log, this seams to me like and issue with the keys... am I correct in assuming this?
Code:
[Wed Apr 07 18:36:53 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Apr 07 18:36:53 2010] [warn] RSA server certificate CommonName (CN) `www.secondary.com' does NOT match server name!?
[Wed Apr 07 18:36:53 2010] [error] Unable to configure RSA server private key
[Wed Apr 07 18:36:53 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I guess this is a self-signed certificate, so you can create a new one, using the server key.
If you do so, make sure also that the CN used matches the vhost2 ServerName, so you don't get the warning about
Quote:
[Wed Apr 07 18:36:53 2010] [warn] RSA server certificate CommonName (CN) `www.secondary.com' does NOT match server name!?
Thanks for the help! I figured out the problem, it was the last line of the below segment, that SSLEngine was uncommented, when the default template had the SSLEngine set to on it needed a default cert. once I turned that off I was able to comment out the cert the web developer added in the head of the ssl.conf file and specify the 2nd vhost for ssl in httpd.conf. =)
Code:
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
# SSLEngine on
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.