Re: Certificate config problem
Hi Jon! Your problem lies in that you have name-based and not IP based virtual host for the ssl ones! The faq at modssl explains better why change it to 2 ip based and your in the clear! / HTH Jimmy At 10:16 2002-06-28 +0100, you wrote: >Hi all, > >Apologies if this has been asked before - I'm very new to this list. > >I'm running Apache 1.3.26 with mod-ssl 2.8.9-1.3.26. There are many domains >on the box in question (40ish) and 2 of them use SSL. For the sake of >argument let's call them example.com and example2.com - these are both >name-based virtual servers. > >I've created certificates for them using the ssl.ca package - I created my >own root CA and then generated/signed certificates for both domains, >providing the correct CN in each case. > >So we have example.com CA key signing server certificates for >www.example.com and www.example2.com. > >Whenever I go to https://www.example.com/ - it works great. No problems >whatsoever. However with https://www.example2.com/ it seems to be using the >certificate for www.example.com - IE pops up the error saying that the name >on the cert doesn't match the site name. > >The thing that is baffling me is that this *did* work at one point. I first >set up SSL and got it working perfectly for both domains around about July >last year - using whatever was the latest version at that point. > >The ssl_engine_log file shows the following for a request for a single HTML >file on www.example2.com > >[28/Jun/2002 10:14:04 01309] [info] Connection to child 6 established >(server www.example.com:443, client 217.135.39.70) >[28/Jun/2002 10:14:04 01309] [info] Seeding PRNG with 23177 bytes of >entropy >[28/Jun/2002 10:14:04 01309] [info] Connection: Client IP: 217.135.39.70, >Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) >[28/Jun/2002 10:14:04 01309] [info] Connection to child 6 closed with >standard shutdown (server www.example.com:443, client 217.135.39.70) >[28/Jun/2002 10:14:06 01310] [info] Connection to child 7 established >(server www.example.com:443, client 217.135.39.70) >[28/Jun/2002 10:14:06 01310] [info] Seeding PRNG with 23177 bytes of >entropy >[28/Jun/2002 10:14:07 01310] [info] Connection: Client IP: 217.135.39.70, >Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) >[28/Jun/2002 10:14:07 01310] [info] Initial (No.1) HTTPS request received >for child 7 (server www.example2.com:443) >[28/Jun/2002 10:14:07 01310] [info] Connection to child 7 closed with >unclean shutdown (server www.example2.com:443, client 217.135.39.70) > >THe useful parts of my httpd.conf are in the attached file. > >If anyone could help with this I'd be extremely grateful. > >Cheers, >Jon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Certificate config problem
Hi all, Apologies if this has been asked before - I'm very new to this list. I'm running Apache 1.3.26 with mod-ssl 2.8.9-1.3.26. There are many domains on the box in question (40ish) and 2 of them use SSL. For the sake of argument let's call them example.com and example2.com - these are both name-based virtual servers. I've created certificates for them using the ssl.ca package - I created my own root CA and then generated/signed certificates for both domains, providing the correct CN in each case. So we have example.com CA key signing server certificates for www.example.com and www.example2.com. Whenever I go to https://www.example.com/ - it works great. No problems whatsoever. However with https://www.example2.com/ it seems to be using the certificate for www.example.com - IE pops up the error saying that the name on the cert doesn't match the site name. The thing that is baffling me is that this *did* work at one point. I first set up SSL and got it working perfectly for both domains around about July last year - using whatever was the latest version at that point. The ssl_engine_log file shows the following for a request for a single HTML file on www.example2.com [28/Jun/2002 10:14:04 01309] [info] Connection to child 6 established (server www.example.com:443, client 217.135.39.70) [28/Jun/2002 10:14:04 01309] [info] Seeding PRNG with 23177 bytes of entropy [28/Jun/2002 10:14:04 01309] [info] Connection: Client IP: 217.135.39.70, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [28/Jun/2002 10:14:04 01309] [info] Connection to child 6 closed with standard shutdown (server www.example.com:443, client 217.135.39.70) [28/Jun/2002 10:14:06 01310] [info] Connection to child 7 established (server www.example.com:443, client 217.135.39.70) [28/Jun/2002 10:14:06 01310] [info] Seeding PRNG with 23177 bytes of entropy [28/Jun/2002 10:14:07 01310] [info] Connection: Client IP: 217.135.39.70, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [28/Jun/2002 10:14:07 01310] [info] Initial (No.1) HTTPS request received for child 7 (server www.example2.com:443) [28/Jun/2002 10:14:07 01310] [info] Connection to child 7 closed with unclean shutdown (server www.example2.com:443, client 217.135.39.70) THe useful parts of my httpd.conf are in the attached file. If anyone could help with this I'd be extremely grateful. Cheers, Jon. Port 80 User nobody Group nobody ServerAdmin [EMAIL PROTECTED] ServerName www.example.com DocumentRoot "/home/httpd/html" ## SSL Global Stuff AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl Listen x.x.x.x:80 Listen x.x.x.x:443 Listen x.x.x.y:80 SSLPassPhraseDialog builtin #SSLSessionCachenone #SSLSessionCacheshmht:logs/ssl_scache(512000) #SSLSessionCacheshmcb:logs/ssl_scache(512000) SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLLog logs/ssl_engine_log SSLLogLevel info ### Section 3: Virtual Hosts NameVirtualHost x.x.x.x:80 NameVirtualHost x.x.x.x:443 # # DocumentRoot /home/httpd/html ServerName www.example.com ... DocumentRoot /home/httpd/html ServerName www.example.com ... SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/www.example.com.crt SSLCertificateKeyFile /etc/httpd/conf/www.example.com.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 DocumentRoot /home/jon/domains/example2.com ServerName www.example2.com ServerAdmin [EMAIL PROTECTED] ... DocumentRoot /home/jon/domains/example2.com ServerName www.example2.com ServerAdmin [EMAIL PROTECTED] ... SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/www.example2.com.crt SSLCertificateKeyFile /etc/httpd/conf/www.example2.com.key SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0