RE: Problem with IP/Port Based (NOT Name Based) virtual hosts.
I don't really understand what can be wrong - your config looks OK and if the logs and docroots are accurate, I don't see how it can be going into the wrong VH. Therefore, you must be mistaken about the certificate files. Are you sure you don't have symlinks or something funny which could allow one server to see the other's certs in place of its own? When you say gets the wrong cert do you mean that you get a browser warning cert does not match FQDN? rgds, Owen Boyle -Original Message- From: Alex Tang [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 10. Dezember 2002 09:57 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Problem with IP/Port Based (NOT Name Based) virtual hosts. Hi there. Thanks for the help. I have some followup comments inline... On Tue, Dec 10, 2002 at 09:04:35AM +0100, Boyle Owen wrote: You must be the first guy to figure this out from the docs! Well done :-) Ha. Thanks. :) However, I'm trying to setup my server (apache 2.0.43, OpenSSL 0.9.7-beta5, RH Linux 7.3) to do IP or Port based virtual hosts. It seems that the server will only ever use the first cert declared. I have the following in my httpd.conf (well, technically a file included by httpd.conf) SSLSessionCache dbm:/var/cache/mod_ssl/scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin VirtualHost 192.168.7.31:443 ServerName A.funkware.com ServerAdmin [EMAIL PROTECTED] ErrorLoglogs/A/error_log CustomLog logs/A/access_log combined SSLEngine on SSLCertificateFile /usr/local/etc/A.Cert SSLCertificateKeyFile /usr/local/etc/A.key DocumentRoot/webdocs/A # other sundry virtual host directory stuff here. /VirtualHost Looks OK... VirtualHost 192.168.7.33:443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl ServerName B.funkware.com ServerAdmin [EMAIL PROTECTED] ErrorLoglogs/B/error_log2 CustomLog logs/B/access_log2 combined SSLEngine on SSLCertificateFile /etc/httpd/conf/httpd-cert-3443.cert SSLCertificateKeyFile /etc/httpd/conf/httpd-cert-3443.key DocumentRoot /local/private/OpenCA/httpd/htdocs/pub # other sundry virtual host directory stuff here. /VirtualHost Looks OK too... Like i said, when i startup the server, the first cert (A.Cert) is used for both virtual hosts. Does this seutp look correct? Is there something I missed? Here are a couple more tidbits of info that i've learned...I don't know if any of it is useful though... * All the certs and keys are valid. I've verified it using OpenSSL. * When I get the root page for both virtual hosts, i get the proper page for each server. What exactly do you mean here... Do you mean that: https://A.funkware.com/ - /webdocs/A https://B.funkware.com/ - /local/private/OpenCA/httpd/htdocs/pub or do you mean via HTTP? Sorry about that. I should have been more clear. Your assumption was correct: https://A.funkware.com/ - /webdocs/A https://B.funkware.com/ - /local/private/OpenCA/httpd/htdocs/pub This part of the VirtualHost information is being properly read and used. * If i change the second SSLCertificateFile to a bogus file or something that doesn't exist, the server will not startup (as expected). However, the second cert is still not used. As you say, this is normal - missing files or directories cause apache to abort during startup, long before any network setup is done. Sure. I understand. * If i change the order (putting the VirtualHost declaration for .33 before .31), the behavior is consistant: the httpd-cert-3443.cert is used for both servers. I suspect a DNS or routing problem... I notice you have real .com domain names which implies these sites are available on the internet. However, the IP addresses are on the 192.168.0.0 private network. This implies that you have a firewall and/or router with network address translation between the webserver and the web. Are you sure that, after NAT, A.funkware.com resolves to 192.168.7.31 and that B.funkware.com resolves to 192.168.7.33? I suspect that both FQDNs are resolving to the same internal IP address... You are correct again that I am working behind a firewall using the 192.168.7/24 network. Unfortunately, I know that the FQDNs are correct (i run the DNS). For my testing, I am working completely behind the wall, I am running the client on a machine at 192.168.7.20, and my netmask on all machines is 255.255.255.0, hence all machines are on the same subnet. There is no NAT being done
Migrating Apache/ModSSL/OpenSSL certificate to Win2K/IIS 5.0
We have a 2-year Verisign Secure Site ID running on one of our Apache servers with ModSSL. The original CSR was generated using OpenSSL software. Now the site is moving to Windows 2000 / IIS 5.0 (bleah) and I was searching the web for information regarding how to transfer the certificate between the two environments. Verisign apparently does not provide support on this issue; I found some info at Thawte (http://www.thawte.com/html/SUPPORT/server/apachessl.html) but it appears to be incomplete. Microsoft's support site doesn't seem to have any word on the subject either (surprise). So if anyone has a better link than the one I found, I'd love to hear about it. Thanks so much... Emily Witcher - [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Migrating Apache/ModSSL/OpenSSL certificate to Win2K/IIS 5.0
Title: RE: Migrating Apache/ModSSL/OpenSSL certificate to Win2K/IIS 5.0 You can take your private key and public key from Apache.. import them into MS IIS 4.0 as a key pair set. IIS 4 will ask you for the private key and the public key. Backup the keypair set as a keypair file (.key) this will contain both the private key and public key in one .key file. Then go to your MS IIS 5.0 webserver and under directory security.. go through the server certificate wizard and choose the last option Import The Import option is designed for IIS 4.0 .key files. -Original Message- From: Emily Eileen Witcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 4:41 PM To: [EMAIL PROTECTED] Subject: Migrating Apache/ModSSL/OpenSSL certificate to Win2K/IIS 5.0 We have a 2-year Verisign Secure Site ID running on one of our Apache servers with ModSSL. The original CSR was generated using OpenSSL software. Now the site is moving to Windows 2000 / IIS 5.0 (bleah) and I was searching the web for information regarding how to transfer the certificate between the two environments. Verisign apparently does not provide support on this issue; I found some info at Thawte (http://www.thawte.com/html/SUPPORT/server/apachessl.html) but it appears to be incomplete. Microsoft's support site doesn't seem to have any word on the subject either (surprise). So if anyone has a better link than the one I found, I'd love to hear about it. Thanks so much... Emily Witcher - [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problems after upgrading mod_ssl and apache..
Hiya Yesterday we upgraded on of our http servers from apache 1.3.26 to 1.3.27 with the equalent version of mod_ssl. root@nextgeneration:/usr/src/other/php# /usr/local/apache/bin/apachectl startssl Apache/1.3.27 mod_ssl/2.8.12 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server ssl.reroute.set:443 (RSA) Enter pass phrase: Ok: Pass Phrase Dialog successful. /usr/local/apache/bin/apachectl startssl: httpd started Syntax error on line 524 of /usr/local/apache/conf/httpd.conf: Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration And then the server dies... anyone know where to start looking..? Mvh/Best regards, Arnvid L. Karstad __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
hardwiring the semaphores directory, revisited
After looking at the source code, I realized that the problem I described in my previous post is related to the FAQ entry titled: Apache creates files in a directory declared by the internal EAPI_MM_CORE_PATH define. ... The FAQ entry doesn't mention semaphores or the error message a badly-defined EAPI_MM_CORE_PATH can cause, so I missed it on my initial troubleshooting of this problem. I think it would be useful to add a couple of sentences to this entry, something like: If you don't have permissions to write to the directory pointed by EAPI_MM_CORE_PATH, httpd may fail on startup with an error message similar to this: Ouch! ap_mm_create(1048576, /opt/apache/logs/httpd.mm.25669) failed Error: MM: mm:core: failed to open semaphore file (Permission denied): OS: No such file or directory This could help people doing a textual search for the error message. Does this make sense? Thanks, Hernan -- -- Hernan Laffitte Systems Administrator, HP Labs / Storage Systems Department http://www.hpl.hp.com [EMAIL PROTECTED] tel (650)857-4937 fax (650)857-5548 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]