Re: [CentOS] CentOS 6, Apache 2.2.15 and SNI?
On Tue, November 22, 2016 22:40, James B. Byrne wrote: > > On Sun, November 20, 2016 12:43, Walter H. wrote: > >> >> https://box.domain1.com works >> but >> https://box.domain2.com results in 'Certificate name mismatch' >> >> > > What are the contents of the certificate(s) you have configured for > tls? What AltSubject names, if any, do the certificate(s) support? > both were wildcard certificates, one for each domain ... ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6, Apache 2.2.15 and SNI?
On Sun, November 20, 2016 12:43, Walter H. wrote: > > https://box.domain1.com works > but > https://box.domain2.com results in 'Certificate name mismatch' > > What are the contents of the certificate(s) you have configured for tls? What AltSubject names, if any, do the certificate(s) support? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6, Apache 2.2.15 and SNI? Solved ...
It is solved, I don't know why but SNI works only with hosts that are declared with ServerName and not with ServerAlias so I did the following ... I made an include file that contained everything of the virtualhost except the ServerAdmin and ServerName declarations and did this: ServerAdmin webmaster@domain#.com ServerName vhost.domain#.com:443 Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl ServerAdmin webmaster@domain#.com ServerName box.domain#.com:443 Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl ServerAdmin webmaster@domain#.com ServerName calcbox.domain#.com:443 Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl ... Greetings, Walter On 20.11.2016 18:24, Walter H. wrote: Hello, is Apache 2.2 which is part of the CentOS distribution capable of SNI? I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) just did 'yum update' in /etc/httpd/conf/httpd.conf I've the following NameVirtualHost ipaddr:443 Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf both 'vhost'-files are like this: ServerAdmin webmaster@domain#.com ServerName vhost.domain#.com:443 ServerAlias box.domain#.com:443 ServerAlias calcbox.domain#.com:443 ServerAlias proxybox.domain#.com:443 ... SSLEngine on SSLStrictSNIVHostCheck on SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt ... only https://domain1.com/... works https://domain2.com/... results in a certificate CN mismatch ... what is missing in my config.? Thanks, Walter ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6, Apache 2.2.15 and SNI?
On 20.11.2016 18:33, David Nelson wrote: It doesn't appear you have a ServerName or ServerAlias for the naked domains (sans subdomain), so they're both being answered by the first VirtualHost entry? this is not the problem meant https://box.domain1.com works but https://box.domain2.com results in 'Certificate name mismatch' Thanks, Walter On Nov 20, 2016, at 9:24 AM, Walter H.wrote: Hello, is Apache 2.2 which is part of the CentOS distribution capable of SNI? I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) just did 'yum update' in /etc/httpd/conf/httpd.conf I've the following NameVirtualHost ipaddr:443 Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf both 'vhost'-files are like this: ServerAdmin webmaster@domain#.com ServerName vhost.domain#.com:443 ServerAlias box.domain#.com:443 ServerAlias calcbox.domain#.com:443 ServerAlias proxybox.domain#.com:443 ... SSLEngine on SSLStrictSNIVHostCheck on SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt ... only https://domain1.com/... works https://domain2.com/... results in a certificate CN mismatch ... what is missing in my config.? Thanks, Walter ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6, Apache 2.2.15 and SNI?
It doesn't appear you have a ServerName or ServerAlias for the naked domains (sans subdomain), so they're both being answered by the first VirtualHost entry? > On Nov 20, 2016, at 9:24 AM, Walter H.wrote: > > Hello, > > is Apache 2.2 which is part of the CentOS distribution capable of SNI? > > I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) > just did 'yum update' > > > in > /etc/httpd/conf/httpd.conf > > I've the following > > NameVirtualHost ipaddr:443 > > Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf > Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf > > both 'vhost'-files are like this: > > > ServerAdmin webmaster@domain#.com > > ServerName vhost.domain#.com:443 > ServerAlias box.domain#.com:443 > ServerAlias calcbox.domain#.com:443 > ServerAlias proxybox.domain#.com:443 > > ... > SSLEngine on > > SSLStrictSNIVHostCheck on > > SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt > SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key > SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt > > ... > > > only > https://domain1.com/... > works > https://domain2.com/... > results in a certificate CN mismatch ... > > what is missing in my config.? > > Thanks, > Walter > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6, Apache 2.2.15 and SNI?
Hello, is Apache 2.2 which is part of the CentOS distribution capable of SNI? I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) just did 'yum update' in /etc/httpd/conf/httpd.conf I've the following NameVirtualHost ipaddr:443 Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf both 'vhost'-files are like this: ServerAdmin webmaster@domain#.com ServerName vhost.domain#.com:443 ServerAlias box.domain#.com:443 ServerAlias calcbox.domain#.com:443 ServerAlias proxybox.domain#.com:443 ... SSLEngine on SSLStrictSNIVHostCheck on SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt ... only https://domain1.com/... works https://domain2.com/... results in a certificate CN mismatch ... what is missing in my config.? Thanks, Walter ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos