When I first set up multiple SSL enabled web sites on one IP address the use of GnuTLS was required. At that time mod_ssl did not support SNI. That is no longer the case.
Reconfiguring Apache to use mod_ssl enables all sites to be SSL served. Resolving the GnuTLS configuration (compatibility?) issues will be forgone. On Wed, Nov 26, 2014 at 07:04:02AM -0800, Michael Rasmussen wrote: > I have three SSL enabled hosts on an Apache web server with SSL services > provided by GnuTLS. > > mod_ssl does not support (at least at the time I first set these up) SNI. > > SSL is working properly for two of the three jamhome.us and michaelsnet.us > The third site, saunter.us, is having the jamhome.us SSL cert provided > resulting in a > ERR_CERT_COMMON_NAME_INVALID > > debug level logging is enabled for Apache. > > When Firefox is used to access saunter.us this message is recorded: > [Wed Nov 26 06:43:50 2014] [info] GnuTLS: Fatal Alert From Client: (42) > 'Certificate is bad' > > (Side note: Chrome does not trigger that log message. > > Certificates have been validated, a CSR decoder was used to validate the CSR > I submitted for the saunter.us cert. > > I've run out of troubleshooting ideas. What suggestions do you have? > > Relevent portions of config files follow. > > Conf file jamhome.us > <VirtualHost 173.246.104.35:443> > ServerName www.jamhome.us > ServerAlias jamhome.us > > GnuTLSEnable on > GnuTLSPriorities NORMAL > GnuTLSSessionTickets on > GNUTLSExportCertificates on > > GnuTLSCertificateFile /path_to/certs/certificate-49851-jamhome.crt > GnuTLSKeyFile /path_to/private/jamhome_us.key > GnuTLSClientCAFile /path_to/certs/gandi-ca-2014.crt > # other options snipped > </VirtualHost> > End of jamhome.us > > Conf File michaelsnet.us > <VirtualHost 173.246.104.35:443> > ServerName www.michaelsnet.us > ServerAlias michaelsnet.us > > GnuTLSEnable on > GnuTLSPriorities NORMAL > GnuTLSSessionTickets on > GNUTLSExportCertificates on > > GnuTLSCertificateFile /etc/ssl/certs/certificate-49850-michaelsnet.crt > GnuTLSKeyFile /etc/ssl/private/michaelsnet_us.key > GnuTLSClientCAFile /etc/ssl/certs/gandi-ca-2014.crt > # other options snipped > </VirtualHost> > End of michaelsnet.us > > Conf File saunter.us > <VirtualHost 173.246.104.35:443> > ServerName www.saunter.us > ServerAlias saunter.us > > GnuTLSEnable on > GnuTLSSessionTickets on > GnuTLSPriorities NORMAL > GNUTLSExportCertificates on > > GnuTLSCertificateFile /path_to/certs/certificate-100672-saunter.crt > GnuTLSKeyFile /path_to/private/saunter_us.key > GnuTLSClientCAFile /path_to/certs/gandi-ca-2014.crt > # other options snipped > </VirtualHost> > End of saunter.us > > Conf File gnutls.conf > <IfModule mod_gnutls.c> > # all options commented out > </IfModule> > End of gnutls.conf > > Conf File ports.conf > > NameVirtualHost *:80 > Listen [::]:80 > Listen 0.0.0.0:80 > > <IfModule mod_gnutls.c> > Listen 443 https > NameVirtualHost 173.246.104.35:443 > </IfModule> > End of ports.conf > > > -- > Michael Rasmussen, Portland Oregon > Be Appropriate && Follow Your Curiosity > Objects in the calendar are closer than they appear. > ~ Michael Rasmussen > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity After your lover has gone you will still have PEANUT BUTTER! _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
