Your message dated Fri, 27 Feb 2009 15:17:02 +0100
with message-id <[email protected]>
and subject line Problem with wildcard certificate
has caused the Debian Bug report #511667,
regarding libapache2-mod-gnutls: Name-based virtual hosting not working
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
511667: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511667
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libapache2-mod-gnutls
Version: 0.5.1-1
Severity: important
It appears that name-based virtual hosting isn't working properly. Below you
will find a very basic
Apache configuration for two SSL virtual hosts. Both virtal hosts are
accessible but both hosts
are using the SSL certificate and key from the first virtual host. Also, any
extra directives
placed in the second virtual host do not seem to apply. For example, adding
"GnuTLSClientVerify require"
to the second virtual host in order to requite client certificate validation
does not work. If I add it to
the first virtual host then *both* virtual hosts start demanding client
certificates.
I am using IceWeasel 2 (as shipped in Lenny) to access those virtual hosts. It
should have support
for Server Name Identification (SNI) that allows mod_gnutls to do name-based
virtula hosting.
Marking severity as important because Name-based virtual hosting is one of the
primary reasons why
people use mod_gnutls over mod_ssl.
My configuration:
NameVirtualHost *:443
Listen 443
# First virtual host, using a self-signed certificate
<VirtualHost *:443>
DocumentRoot /var/www/host1
ServerName host1.example.org:443
# SSL using GnuTLS
GnuTLSEnable On
GnuTLSPriorities PERFORMANCE:%COMPAT
GnuTLSCertificateFile /etc/apache2/ssl/host1.cert
GnuTLSKeyFile /root/certs/host1.key
LogLevel warn
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>
# Second virtual host using a sertificate signed by CACert.
# But, it is served with the self-signed certificate from the previous
# virtual host. That can't be right!
<VirtualHost *:443>
# SSL using GnuTLS
GnuTLSEnable On
GnuTLSCertificateFile /etc/apache2/ssl/host2.cert
GnuTLSKeyFile /root/certs/host2.key
GnuTLSPriorities PERFORMANCE:%COMPAT
ServerName svn.example.org:443
LogLevel warn
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
ServerSignature On
# This is a Subevrsion server, so no DocumentRoot
# statement but instead this Location directive
<Location "/">
DAV svn
SVNParentPath /var/svn
SVNListParentPath On
AuthType Basic
AuthName "My subversion repositories"
AuthUserFile /etc/subversion/svn-users
AuthzSVNAccessFile /etc/subversion/svn-groups
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
</VirtualHost>
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.25-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-gnutls depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libgnutls26 2.4.2-4 the GNU TLS library - runtime libr
libapache2-mod-gnutls recommends no packages.
libapache2-mod-gnutls suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
I am closing this bug. The problem was at my end. Apparently name-based
virtual hosts and wildcard SSL certificates do not mix. When I replaced
the wildcard certificate on host 1 with a regular certificate everything
worked.
--
Sander Marechal
--- End Message ---
