Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

apache with 2 SSL Certs Problem

  

 
Apache users RSS feed   Index | Next | Previous | View Threaded


rtparies at gmail

Nov 12, 2009, 6:15 PM

Post #1 of 12 (915 views)
Permalink
apache with 2 SSL Certs Problem
Hello,
i have a box with two domains
CentOS release 5.3
Server version: Apache/2.2.3

initially the box only had one IP and domain.

I went and got a SSL cert for that domain and everything was fine.

i then went and added a second IP and a second Domain (eventually i
planned to split these)

I then created a test self signed cert for the second domain/IP (same NIC card)

Since i have done that my first domain/IP SSL gives me the error
message that it is the incorrect cert
"cert belongs to a different site" and when i look at the cert via FF
it is all localhost / self signed stufff

i even yesterday tried to re-issue the old cert
openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr

I have removed the ssl on the second domain for now

in my httpd,conf I am pointing to the key and crt i just created
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.key

in the SSL error log i see
[Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
(CN) `localhost.localdomain' does NOT match server name!?

I would really appreciate any help
Randy

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


krist.vanbesien at gmail

Nov 12, 2009, 11:29 PM

Post #2 of 12 (882 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Fri, Nov 13, 2009 at 3:15 AM, Randy Paries <rtparies [at] gmail> wrote:
> Hello,
> i have a box with two domains
> CentOS release 5.3
> Server version: Apache/2.2.3
>
> initially the box only had one IP and domain.
>
> I went and got a SSL cert for that domain and everything was fine.
>
> i then went and added a second IP and a second Domain (eventually i
> planned to split these)
>
> I then created a test self signed cert for the second domain/IP (same NIC card)
>
> Since i have done that my first domain/IP SSL gives me the error
> message that it is the incorrect cert
> "cert belongs to a different site" and when i look at the cert via FF
> it is all localhost / self signed stufff
>
> i even yesterday tried to re-issue the old cert
> openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
>
> I have removed the ssl on the second domain for now
>
> in my httpd,conf I am pointing to the key and crt i just created
>    SSLEngine on
>    SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
>    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.key
>
> in the SSL error log i see
> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
> (CN) `localhost.localdomain' does NOT match server name!?

You need to give us some more information. What have you done to make
sure that the right IP is associated with the right SSL instance and
certificate? This does not happen automatically.

Normally you should have two virtualhosts in your httpd.conf, each
with its own SSL directives. Could you show us more of your config?


Krist


--
krist.vanbesien [at] gmail
krist [at] vanbesien
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


sureshvis at yahoo

Nov 13, 2009, 12:23 AM

Post #3 of 12 (882 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
IP based virtual hosting will help you. read thru this http://httpd.apache.org/docs/1.3/vhosts/ip-based.html

also you can have 2 include file with different IP listening and map there in the include file, to make it easy to maintenance.

also can you paste your httpd.conf file

thanks
-suresh






________________________________
From: Krist van Besien <krist.vanbesien [at] gmail>
To: users [at] httpd
Sent: Fri, November 13, 2009 12:59:33 PM
Subject: Re: [users [at] http] apache with 2 SSL Certs Problem

On Fri, Nov 13, 2009 at 3:15 AM, Randy Paries <rtparies [at] gmail> wrote:
> Hello,
> i have a box with two domains
> CentOS release 5.3
> Server version: Apache/2.2.3
>
> initially the box only had one IP and domain.
>
> I went and got a SSL cert for that domain and everything was fine.
>
> i then went and added a second IP and a second Domain (eventually i
> planned to split these)
>
> I then created a test self signed cert for the second domain/IP (same NIC card)
>
> Since i have done that my first domain/IP SSL gives me the error
> message that it is the incorrect cert
> "cert belongs to a different site" and when i look at the cert via FF
> it is all localhost / self signed stufff
>
> i even yesterday tried to re-issue the old cert
> openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
>
> I have removed the ssl on the second domain for now
>
> in my httpd,conf I am pointing to the key and crt i just created
> SSLEngine on
> SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.key
>
> in the SSL error log i see
> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
> (CN) `localhost.localdomain' does NOT match server name!?

You need to give us some more information. What have you done to make
sure that the right IP is associated with the right SSL instance and
certificate? This does not happen automatically.

Normally you should have two virtualhosts in your httpd.conf, each
with its own SSL directives. Could you show us more of your config?


Krist


--
krist.vanbesien [at] gmail
krist [at] vanbesien
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


rtparies at gmail

Nov 13, 2009, 7:40 AM

Post #4 of 12 (876 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Fri, Nov 13, 2009 at 1:29 AM, Krist van Besien
<krist.vanbesien [at] gmail> wrote:
> On Fri, Nov 13, 2009 at 3:15 AM, Randy Paries <rtparies [at] gmail> wrote:
>> Hello,
>> i have a box with two domains
>> CentOS release 5.3
>> Server version: Apache/2.2.3
>>
>> initially the box only had one IP and domain.
>>
>> I went and got a SSL cert for that domain and everything was fine.
>>
>> i then went and added a second IP and a second Domain (eventually i
>> planned to split these)
>>
>> I then created a test self signed cert for the second domain/IP (same NIC card)
>>
>> Since i have done that my first domain/IP SSL gives me the error
>> message that it is the incorrect cert
>> "cert belongs to a different site" and when i look at the cert via FF
>> it is all localhost / self signed stufff
>>
>> i even yesterday tried to re-issue the old cert
>> openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
>>
>> I have removed the ssl on the second domain for now
>>
>> in my httpd,conf I am pointing to the key and crt i just created
>>    SSLEngine on
>>    SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
>>    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.key
>>
>> in the SSL error log i see
>> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
>> certificate (BasicConstraints: CA == TRUE !?)
>> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
>> (CN) `localhost.localdomain' does NOT match server name!?
>
> You need to give us some more information. What have you done to make
> sure that the right IP is associated with the right SSL instance and
> certificate? This does not happen automatically.
>
> Normally you should have two virtualhosts in your httpd.conf, each
> with its own SSL directives. Could you show us more of your config?
>
>
> Krist

Hello,
Thanks for you help

this is how i have it set up.
when i generate the CSR do i need to do something special to bind the
CSR to a specific IP?

<VirtualHost 216.186.190.101:443>
ServerAdmin webmaster [at] unitnet
DocumentRoot /home/unitfaces/

ServerName www.unitfaces.com
ServerAlias unitfaces.com

ErrorLog logs/unitfaces.com-error_log
CustomLog logs/unitfaces.com-access_log combined

ErrorLog logs/unitfacesSSL.com-error_log
CustomLog logs/unitfacesSSL.com-access_log combined

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.unitfaces.com.key

</VirtualHost>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


rtparies at gmail

Nov 13, 2009, 9:14 AM

Post #5 of 12 (875 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Fri, Nov 13, 2009 at 9:40 AM, Randy Paries <rtparies [at] gmail> wrote:
> On Fri, Nov 13, 2009 at 1:29 AM, Krist van Besien
> <krist.vanbesien [at] gmail> wrote:
>> On Fri, Nov 13, 2009 at 3:15 AM, Randy Paries <rtparies [at] gmail> wrote:
>>> Hello,
>>> i have a box with two domains
>>> CentOS release 5.3
>>> Server version: Apache/2.2.3
>>>
>>> initially the box only had one IP and domain.
>>>
>>> I went and got a SSL cert for that domain and everything was fine.
>>>
>>> i then went and added a second IP and a second Domain (eventually i
>>> planned to split these)
>>>
>>> I then created a test self signed cert for the second domain/IP (same NIC card)
>>>
>>> Since i have done that my first domain/IP SSL gives me the error
>>> message that it is the incorrect cert
>>> "cert belongs to a different site" and when i look at the cert via FF
>>> it is all localhost / self signed stufff
>>>
>>> i even yesterday tried to re-issue the old cert
>>> openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
>>>
>>> I have removed the ssl on the second domain for now
>>>
>>> in my httpd,conf I am pointing to the key and crt i just created
>>>    SSLEngine on
>>>    SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
>>>    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.key
>>>
>>> in the SSL error log i see
>>> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
>>> certificate (BasicConstraints: CA == TRUE !?)
>>> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
>>> (CN) `localhost.localdomain' does NOT match server name!?
>>
>> You need to give us some more information. What have you done to make
>> sure that the right IP is associated with the right SSL instance and
>> certificate? This does not happen automatically.
>>
>> Normally you should have two virtualhosts in your httpd.conf, each
>> with its own SSL directives. Could you show us more of your config?
>>
>>
>> Krist
>
> Hello,
> Thanks for you help
>
> this is how i have it set up.
> when i generate the CSR do i need to do something special to bind the
> CSR to a specific IP?
>
> <VirtualHost 216.186.190.101:443>
>    ServerAdmin webmaster [at] unitnet
>    DocumentRoot /home/unitfaces/
>
>    ServerName www.unitfaces.com
>    ServerAlias unitfaces.com
>
>    ErrorLog logs/unitfaces.com-error_log
>    CustomLog logs/unitfaces.com-access_log combined
>
>    ErrorLog logs/unitfacesSSL.com-error_log
>    CustomLog logs/unitfacesSSL.com-access_log combined
>
>    SSLEngine on
>    SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
>    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.unitfaces.com.key
>
> </VirtualHost>
>

also i have this in my httpd
NameVirtualHost 216.186.190.101:80
NameVirtualHost 216.186.190.106:80
NameVirtualHost 216.186.190.101:443

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


krist.vanbesien at gmail

Nov 13, 2009, 10:25 AM

Post #6 of 12 (877 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Fri, Nov 13, 2009 at 4:40 PM, Randy Paries <rtparies [at] gmail> wrote:
> On Fri, Nov 13, 2009 at 1:29 AM, Krist van Besien
> this is how i have it set up.
> when i generate the CSR do i need to do something special to bind the
> CSR to a specific IP?

No.

>
> <VirtualHost 216.186.190.101:443>
>    ServerAdmin webmaster [at] unitnet
>    DocumentRoot /home/unitfaces/
>
>    ServerName www.unitfaces.com
>    ServerAlias unitfaces.com
>
>    ErrorLog logs/unitfaces.com-error_log
>    CustomLog logs/unitfaces.com-access_log combined
>
>    ErrorLog logs/unitfacesSSL.com-error_log
>    CustomLog logs/unitfacesSSL.com-access_log combined
>
>    SSLEngine on
>    SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
>    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.unitfaces.com.key
>
> </VirtualHost>

That looks ok, but you should have two VirtualHost containers on port
443. What does the other look like?


--
krist.vanbesien [at] gmail
krist [at] vanbesien
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


krist.vanbesien at gmail

Nov 13, 2009, 10:26 AM

Post #7 of 12 (874 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Fri, Nov 13, 2009 at 6:14 PM, Randy Paries <rtparies [at] gmail> wrote:
> also i have this in my httpd
> NameVirtualHost 216.186.190.101:80
> NameVirtualHost 216.186.190.106:80
> NameVirtualHost 216.186.190.101:443

You probably don't need these.

I asume you have your one SSL host on 216.186.190.101 and another on
216.186.190.106 ?

Krist


--
krist.vanbesien [at] gmail
krist [at] vanbesien
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


rtparies at gmail

Nov 13, 2009, 10:58 AM

Post #8 of 12 (879 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Fri, Nov 13, 2009 at 12:26 PM, Krist van Besien
<krist.vanbesien [at] gmail> wrote:
> On Fri, Nov 13, 2009 at 6:14 PM, Randy Paries <rtparies [at] gmail> wrote:
>> also i have this in my httpd
>> NameVirtualHost 216.186.190.101:80
>> NameVirtualHost 216.186.190.106:80
>> NameVirtualHost 216.186.190.101:443
>
> You probably don't need these.
>
> I asume you have your one SSL host on 216.186.190.101 and another on
> 216.186.190.106 ?
>
> Krist
>

so i tried to re-issue my cert so the file names are a little different.

so here is where i am now

two domains:
1) unitfaces.com is supposed to have the real cert
2)yumasnowbirds.com is suppose to have the self signed cert

<VirtualHost 216.186.190.101:443>
ServerAdmin webmaster [at] mydomain
DocumentRoot /home/unitfaces/

ServerName www.unitfaces.com
ServerAlias unitfaces.com

ErrorLog logs/unitfacesSSL.com-error_log
CustomLog logs/unitfacesSSL.com-access_log combined

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key

</VirtualHost>

<VirtualHost 216.186.190.106:443>
ServerAdmin webmaster [at] mydomain
DocumentRoot /home/yumasnowbirds/

ServerName www.yumasnowbirds.com
ServerAlias yumasnowbirds.com

ErrorLog logs/yumasnowbirdsSSL.com-error_log
CustomLog logs/yumasnowbirdsSSL.com-access_log combined

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.yumasnowbirds.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key

</VirtualHost>

here is some more info
if i do
#openssl s_client -connect www.unitfaces.com:443 -showcerts
i see (btw , i have no idea where it is getting this info??)
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root [at] localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root [at] localhost
verify return:1
---

#openssl s_client -connect www.yumasnowbirds.com:443 -showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=MyState/L=MyCity/O=Unit
Inc./OU=YumaSnowBirds/CN=www.yumasnowbirds.com/emailAddress=admin [at] domain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST= MyState/L= MyCity/O=Unit
Inc./OU=YumaSnowBirds/CN=www.yumasnowbirds.com/emailAddress=admin@
domain.com
verify return:1
---


I am sooo confused.

Thanks again
Randy

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


krist.vanbesien at gmail

Nov 14, 2009, 6:37 AM

Post #9 of 12 (854 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Fri, Nov 13, 2009 at 7:58 PM, Randy Paries <rtparies [at] gmail> wrote:
> On Fri, Nov 13, 2009 at 12:26 PM, Krist van Besien
> <krist.vanbesien [at] gmail> wrote:
>> On Fri, Nov 13, 2009 at 6:14 PM, Randy Paries <rtparies [at] gmail> wrote:
>>> also i have this in my httpd
>>> NameVirtualHost 216.186.190.101:80
>>> NameVirtualHost 216.186.190.106:80
>>> NameVirtualHost 216.186.190.101:443
>>
>> You probably don't need these.
>>
>> I asume you have your one SSL host on 216.186.190.101 and another on
>> 216.186.190.106 ?
>>
>> Krist
>>
>
> so i tried to re-issue my cert so the file names are a little different.
>
> so here is where i am now
>
> two domains:
> 1) unitfaces.com is supposed to have the real cert
> 2)yumasnowbirds.com is suppose to have the self signed cert
>
> <VirtualHost 216.186.190.101:443>
>    ServerAdmin webmaster [at] mydomain
>    DocumentRoot /home/unitfaces/
>
>    ServerName www.unitfaces.com
>    ServerAlias unitfaces.com
>
>    ErrorLog logs/unitfacesSSL.com-error_log
>    CustomLog logs/unitfacesSSL.com-access_log combined
>
>    SSLEngine on
>    SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
>    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key
>
> </VirtualHost>
>
> <VirtualHost 216.186.190.106:443>
>    ServerAdmin webmaster [at] mydomain
>    DocumentRoot /home/yumasnowbirds/
>
>    ServerName www.yumasnowbirds.com
>    ServerAlias yumasnowbirds.com
>
>    ErrorLog logs/yumasnowbirdsSSL.com-error_log
>    CustomLog logs/yumasnowbirdsSSL.com-access_log combined
>
>    SSLEngine on
>    SSLCertificateFile /etc/httpd/conf/ssl.crt/www.yumasnowbirds.com.crt
>    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key
>
> </VirtualHost>

That looks all OK to me.

>
> here is some more info
> if i do
> #openssl s_client -connect www.unitfaces.com:443 -showcerts
> i see (btw , i have no idea where it is getting this info??)
> CONNECTED(00000003)
> depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root [at] localhost
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root [at] localhost
> verify return:1

This is all info from the certificate. It appears that unitfaces.com
has a self signed certificate. You can verify this with:
openssl x509 -in /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt -text
(dot this on your sever...)

I think that some of your assumption about what's in
www.unitfces.com.crt might be wrong...

Krist



--
krist.vanbesien [at] gmail
krist [at] vanbesien
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


rtparies at gmail

Nov 14, 2009, 7:33 AM

Post #10 of 12 (853 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Sat, Nov 14, 2009 at 8:37 AM, Krist van Besien
<krist.vanbesien [at] gmail> wrote:
> On Fri, Nov 13, 2009 at 7:58 PM, Randy Paries <rtparies [at] gmail> wrote:
>> On Fri, Nov 13, 2009 at 12:26 PM, Krist van Besien
>> <krist.vanbesien [at] gmail> wrote:
>>> On Fri, Nov 13, 2009 at 6:14 PM, Randy Paries <rtparies [at] gmail> wrote:
>>>> also i have this in my httpd
>>>> NameVirtualHost 216.186.190.101:80
>>>> NameVirtualHost 216.186.190.106:80
>>>> NameVirtualHost 216.186.190.101:443
>>>
>>> You probably don't need these.
>>>
>>> I asume you have your one SSL host on 216.186.190.101 and another on
>>> 216.186.190.106 ?
>>>
>>> Krist
>>>
>>
>> so i tried to re-issue my cert so the file names are a little different.
>>
>> so here is where i am now
>>
>> two domains:
>> 1) unitfaces.com is supposed to have the real cert
>> 2)yumasnowbirds.com is suppose to have the self signed cert
>>
>> <VirtualHost 216.186.190.101:443>
>>    ServerAdmin webmaster [at] mydomain
>>    DocumentRoot /home/unitfaces/
>>
>>    ServerName www.unitfaces.com
>>    ServerAlias unitfaces.com
>>
>>    ErrorLog logs/unitfacesSSL.com-error_log
>>    CustomLog logs/unitfacesSSL.com-access_log combined
>>
>>    SSLEngine on
>>    SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
>>    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key
>>
>> </VirtualHost>
>>
>> <VirtualHost 216.186.190.106:443>
>>    ServerAdmin webmaster [at] mydomain
>>    DocumentRoot /home/yumasnowbirds/
>>
>>    ServerName www.yumasnowbirds.com
>>    ServerAlias yumasnowbirds.com
>>
>>    ErrorLog logs/yumasnowbirdsSSL.com-error_log
>>    CustomLog logs/yumasnowbirdsSSL.com-access_log combined
>>
>>    SSLEngine on
>>    SSLCertificateFile /etc/httpd/conf/ssl.crt/www.yumasnowbirds.com.crt
>>    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key
>>
>> </VirtualHost>
>
> That looks all OK to me.
>
>>
>> here is some more info
>> if i do
>> #openssl s_client -connect www.unitfaces.com:443 -showcerts
>> i see (btw , i have no idea where it is getting this info??)
>> CONNECTED(00000003)
>> depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root [at] localhost
>> verify error:num=18:self signed certificate
>> verify return:1
>> depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root [at] localhost
>> verify return:1
>
> This is all info from the certificate. It appears that unitfaces.com
> has a self signed certificate. You can verify this with:
> openssl x509 -in /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt -text
> (dot this on your sever...)
>
> I think that some of your assumption about what's in
> www.unitfces.com.crt might be wrong...
>
> Krist
>

Krist

So is there a way/log to see what cert is being used by apache
if i do openssl x509 -in /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt -text

[root [at] calgar ~]# openssl x509 -in
/etc/httpd/conf/ssl.crt/www.unitfaces.com.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte
Consulting cc, OU=Certification Services Division, CN=Thawte Premium
Server CA/emailAddress=premium-server [at] thawte
Validity
Not Before: Nov 13 00:00:00 2009 GMT
Not After : Aug 6 23:59:59 2010 GMT
Subject: C=US, ST=Alabama, L=Huntsville, O=UnitNet Inc.,
OU=UnitFaces, CN=www.unitfaces.com


This does not make any sense. It is like it is pulling this cert
magically out of the air

so confused..

Ramdy

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Nov 14, 2009, 7:43 AM

Post #11 of 12 (855 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Sat, Nov 14, 2009 at 10:33 AM, Randy Paries <rtparies [at] gmail> wrote:

> This does not make any sense. It is like it is pulling this cert
> magically out of the air

httpd -S will display your vhost config.

Also curious what that hostname resolves to on the system where you
ran openssl, and what interfaces your Apache system has.

"grep -ri SSLCert /etc/httpd/conf.d/ /etc/httpd/conf" might also shed
some light on what the operative part of your config is.



--
Eric Covener
covener [at] gmail

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


rtparies at gmail

Nov 14, 2009, 7:57 AM

Post #12 of 12 (856 views)
Permalink
Re: apache with 2 SSL Certs Problem [In reply to]
On Sat, Nov 14, 2009 at 9:43 AM, Eric Covener <covener [at] gmail> wrote:
> On Sat, Nov 14, 2009 at 10:33 AM, Randy Paries <rtparies [at] gmail> wrote:
>
>> This does not make any sense. It is like it is pulling this cert
>> magically out of the air
>
> httpd -S will display your vhost config.
>
> Also curious what that hostname resolves to on the system where you
> ran openssl, and what interfaces your Apache system has.
>
> "grep -ri SSLCert /etc/httpd/conf.d/ /etc/httpd/conf" might also shed
> some light on what the operative part of your config is.
>
>
>
> --
> Eric Covener
> covener [at] gmail


YEAH!!!!

httpd -S was the ticket.........

[root [at] calgar conf]# httpd -S
VirtualHost configuration:
216.186.190.106:80 is a NameVirtualHost
default server www.yumasnowbirds.com (/etc/httpd/conf/httpd.conf:1063)
port 80 namevhost www.yumasnowbirds.com
(/etc/httpd/conf/httpd.conf:1063)
216.186.190.106:443 is a NameVirtualHost
default server www.yumasnowbirds.com (/etc/httpd/conf/httpd.conf:1093)
port 443 namevhost www.yumasnowbirds.com
(/etc/httpd/conf/httpd.conf:1093)
216.186.190.101:80 is a NameVirtualHost
default server www.unitfaces.com (/etc/httpd/conf/httpd.conf:1017)
port 80 namevhost www.unitfaces.com (/etc/httpd/conf/httpd.conf:1017)
216.186.190.101:443 is a NameVirtualHost
default server www.unitfaces.com (/etc/httpd/conf/httpd.conf:997)
port 443 namevhost www.unitfaces.com (/etc/httpd/conf/httpd.conf:997)
wildcard NameVirtualHosts and _default_ servers:
_default_:443 www.unitfaces.com (/etc/httpd/conf.d/ssl.conf:81)
Syntax OK

Checkout the bottom entry (wildcard NameVirtualHosts and _default_ servers:)

i did not even think about this separate file. I have always put my
ssl vert hosts in the httpd.conf

thanks everyone for your help

this one was freaking me out

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.