* OK, forget about that CA stuff. I just want to get the default
demo server.crt to work as per the INSTALLATION, I now have this
on another server also with the NAME as exactly the server name
in the certificate. I still have the problem. Netscape still tells
me "Document contains no data" and I get that timeout error in the
error_log. Netscape does get the certificates and shows then to me
in dialog boxes. Once I accept them ... wait ... 3-minutes ...
Pop-Up box comes: Document Contains no data.
>AS> It must be something in my httpd.conf configuration, because
>AS> otherwise the software seems to be operational (?) i.e. at
>AS> least there is the port 443 handshaking and certificate is
>AS> sent to the remote browser. I still get a "Document Contains
>AS> No Data" after a timeout period of several minutes.
>
> What about Lynx-SSL and/or s_client ?
* I don't have Lynx-SSL set up anywhere, but, s_client ...
after several minutes tells: read:errno=0
Apache error_log tells: connect: Connection timed out
When I pipe the output of s_client to less so that I can view all
of it, there is verify errors such as:
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=21:unable to verify the first certificate
I do not understand what this means, or how to fix it (?)
Could this be the problem???
I did the same installation of Apache 1.3.1 + mod_ssl on a
local machine here at home without any VirtualHosts at all,
and certificate was made for an IP Address: 192.168.10.1
on a local ethernet. This server locks SSL just fine with
Netscape after viewing the pop-ups to accept the untrusted
test Snake-Oil CA'd server certificate.
The only difference that I can find between what I am doing
there and what I am doing on my real live servers is that
they have VirtualHosts - which I have included at the end
of the httpd.conf.dist (as httpd.conf) and I have changed
the VirtualHost with the SSL stuff in it to be the servers
main host name. As far as I know this should work. I should
be able to get a test. But I so far have not been able to.
>
>AS> PS: Am I reading this wrong, or isn't that strange that the
>AS> certificate "YOUR NAME" has to be the same as the name of the
>AS> web site? Then how does one use this big Apache SSL capable
>AS> server for more than one VirtualHost that their company or
>AS> organization owns? Doesn't that mean that we'd have to have
>AS> multiple certificates from a recognized CSA (One for each
>AS> Top Level Domain)? That wouldn't be very good.
>
>Unfortunatelly yes. You need separate certificate for each and every
>VirtualHost :-(( Don't blame Ralf -- it's Netscape's/MS IE limitation
>(I'm sure that this is artifactual limitation BTW :-)
>
>Usual solution from ISP: make one secure server and links there from
>unsecure servers of clients; if client want it's own secure server ask
>him to buy one more certificate from Verisign (or other "big" CA :-)
>
OK, that acknowledged. I should still be able to start my whole apache
server as SSL and have only one VirtualHost be the SSLEnable'd one. I
am thinking that the main server's hostname should work fine for this.
It does not interfere with any other VirtualHost. In fact I even try
leaving the SSL part as <VirtualHost _default_:443> (which works on my
machine here at home) and it still doesn't work. I also have tried by
changing VirtualHost to the IP Address and to the hostname.
---
Alan Spicer ([EMAIL PROTECTED])
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
