I have found a problem with mod_nss that appears to have been reported in
2010, but I cannot find any further reference to it. The 2010 reference
contains a comment saying that it is an issue and needs to be fixed. I
have not been able to find any issue tracking system for mod_nss and so
haven't been able to check on the status.
The problem is that mod_nss does not appear to respond with the correct
certificate when multiple name virtual servers are configured on an
instance of Apache. It always responds with the certificate of the first
name virtual server defined. It does process the other sites'
configurations because it complains if certificates with the aliases used
are not in the database. This would not be an issue (for me) if mod_ssl
could be used for virtual servers other than the IPA server, but they
cannot co-exist. If you try to mix them, mod_ssl complains that port 443
is being used for the IPA server, but it is not SSL aware. I suppose it
would be possible to reconfigure the IPA name virtual server to use mod_ssl
bu exporting the certificate, but I really don't like to muck around with
the directory server configuration more than is necessary as it is vital
that it remains stable and secure.
Could anyone enlighten me as to whether this issue is being looked at or
even if it is fixed and the CentOS people (CentOS 6.3 standard repositories
all packages up to date as of yesterday) just aren't supplying a new enough
version of mod_nss. At the moment, I can use my SSL secured sites as the
encryption works okay, but I cannot open them up as they report the wrong
host name in the certificate.
Freeipa-users mailing list