On Wed, Dec 11, 2002 at 03:04:54PM +0100, Boyle Owen wrote: > I don't really understand what can be wrong - your config looks OK and > if the logs and docroots are accurate, I don't see how it can be going > into the wrong VH. Therefore, you must be mistaken about the certificate > files.
Thanks again. I have checked again, and am positive that the certificate and key files are correct. > Are you sure you don't have symlinks or something funny which could > allow one server to see the other's certs in place of its own? Nope. If i comment one of the VirtualHosts out of the config file, the correct cert will be used. For example, if i leave both VH directives in, the cert for the first declared VH will be used. If i comment out the first VH, the cert in the second VH will be used properly. > When you say "gets the wrong cert" do you mean that you get a browser > warning "cert does not match FQDN"? Mainly i was talking about the server logs. In the server log, there will be a message stating that the "ServerName" does not match the CN from the certificate. This isn't a problem that should affect the operation of the server. I was only stating it because the log message lists the CN in the certificate, and i was using that information as proof that the wrong certificate was being used. Perhaps this is a problem with my installation of Apache or mod_ssl. I am running RH73 and have re-compiled Apache 2.0.43 and mod_ssl from SRPMS. Perhaps i'll just go back to using the standard distribution of apache 1.3.x. As an aside, I thought using 2.0.x would be a "good thing"(tm) for the latest and greatest features, however I haven't seen much from the external side (meaning i haven't looked through the code at all) that's different. Can anyone tell me why i should try to stick with 2.0.x instead of going back to 1.3.x? Especially when i'll be doing a fair amount of SSL traffic? Thanks again. ...alex... > > rgds, > > Owen Boyle > > >-----Original Message----- > >From: Alex Tang [mailto:[EMAIL PROTECTED]] > >Sent: Dienstag, 10. Dezember 2002 09:57 > >To: [EMAIL PROTECTED] > >Cc: [EMAIL PROTECTED] > >Subject: Re: Problem with IP/Port Based (NOT Name Based) virtual hosts. > > > > > >Hi there. Thanks for the help. I have some followup comments > >inline... > > > > > >On Tue, Dec 10, 2002 at 09:04:35AM +0100, Boyle Owen wrote: > >> You must be the first guy to figure this out from the docs! Well done > >> :-) > > > >Ha. Thanks. :) > > > >> >However, I'm trying to setup my server (apache 2.0.43, OpenSSL > >> >0.9.7-beta5, RH Linux 7.3) to do IP or Port based virtual hosts. > >> > > >> >It seems that the server will only ever use the first cert > >declared. > >> > > >> >I have the following in my httpd.conf (well, technically a > >> >file included by httpd.conf) > >> > > >> >SSLSessionCache dbm:/var/cache/mod_ssl/scache > >> >SSLSessionCacheTimeout 300 > >> >SSLMutex file:logs/ssl_mutex > >> >SSLRandomSeed startup builtin > >> >SSLRandomSeed connect builtin > >> > > >> ><VirtualHost 192.168.7.31:443> > >> > ServerName A.funkware.com > >> > ServerAdmin [EMAIL PROTECTED] > >> > ErrorLog logs/A/error_log > >> > CustomLog logs/A/access_log combined > >> > > >> > SSLEngine on > >> > SSLCertificateFile /usr/local/etc/A.Cert > >> > SSLCertificateKeyFile /usr/local/etc/A.key > >> > > >> > DocumentRoot /webdocs/A > >> > > >> > # other sundry virtual host directory stuff here. > >> ></VirtualHost> > >> > >> Looks OK... > >> > >> > > >> ><VirtualHost 192.168.7.33:443> > >> > AddType application/x-x509-ca-cert .crt > >> > AddType application/x-pkcs7-crl .crl > >> > > >> > > >> > ServerName B.funkware.com > >> > ServerAdmin [EMAIL PROTECTED] > >> > ErrorLog logs/B/error_log2 > >> > CustomLog logs/B/access_log2 combined > >> > > >> > SSLEngine on > >> > SSLCertificateFile /etc/httpd/conf/httpd-cert-3443.cert > >> > SSLCertificateKeyFile /etc/httpd/conf/httpd-cert-3443.key > >> > > >> > DocumentRoot > >> >"/local/private/OpenCA/httpd/htdocs/pub" > >> > > >> > # other sundry virtual host directory stuff here. > >> > > >> ></VirtualHost> > >> > >> Looks OK too... > > >> > >> >Like i said, when i startup the server, the first cert > >(A.Cert) is used > >> >for both virtual hosts. Does this seutp look correct? Is > >> >there something > >> >I missed? > >> > > >> >Here are a couple more tidbits of info that i've learned...I > >> >don't know if > >> >any of it is useful though... > >> > > >> > * All the certs and keys are valid. I've verified it > >using OpenSSL. > >> > * When I get the root page for both virtual hosts, i get > >the proper > >> > page for each server. > >> > >> What exactly do you mean here... Do you mean that: > >> > >> https://A.funkware.com/ -> /webdocs/A > >> https://B.funkware.com/ -> /local/private/OpenCA/httpd/htdocs/pub > >> > >> or do you mean via HTTP? > > > >Sorry about that. I should have been more clear. Your assumption was > >correct: > > > > https://A.funkware.com/ -> /webdocs/A > > https://B.funkware.com/ -> /local/private/OpenCA/httpd/htdocs/pub > > > >This part of the VirtualHost information is being properly > >read and used. > > > > > >> > * If i change the second "SSLCertificateFile" to a bogus file or > >> > something that doesn't exist, the server will not startup (as > >> > expected). However, the second cert is still not used. > >> > >> As you say, this is normal - missing files or directories > >cause apache > >> to abort during startup, long before any network setup is done. > > > >Sure. I understand. > > > >> > * If i change the order (putting the VirtualHost > >declaration for .33 > >> > before .31), the behavior is consistant: the > >> >httpd-cert-3443.cert is > >> > used for both servers. > >> > >> I suspect a DNS or routing problem... I notice you have real ".com" > >> domain names which implies these sites are available on the internet. > >> However, the IP addresses are on the 192.168.0.0 private > >network. This > >> implies that you have a firewall and/or router with network address > >> translation between the webserver and the web. Are you sure > >that, after > >> NAT, A.funkware.com resolves to 192.168.7.31 and that B.funkware.com > >> resolves to 192.168.7.33? > >> > >> I suspect that both FQDNs are resolving to the same internal IP > >> address... > > > >You are correct again that I am working behind a firewall using the > >192.168.7/24 network. Unfortunately, I know that the FQDNs > >are correct (i > >run the DNS). > > > >For my testing, I am working completely behind the wall, I am > >running the > >client on a machine at 192.168.7.20, and my netmask on all machines is > >255.255.255.0, hence all machines are on the same subnet. > >There is no NAT > >being done on my side of the firewall. > > > >Also, i get the same results if i connect using the IP Address > >instead of > >the hostname. > > > >Here are some more things that I've discovered... > > > > * The two virtual hosts have their respective error logs going to: > > A -> logs/A/error_log > > B -> logs/b/error_log2 > > > > It just so happens that the DNs for both certificates are not the > > "correct" DNs for the servers: > > > > A -> CN=*.funkware.com, O=Funkware, c=US > > B -> CN=newx.funkware.com, O=Funkware, c=US > > > > I know that either of these certs will work properly when > >used solo. > > > > The thing about the improper CN in the DN is that when the server > > starts up, the error log will complain that the DN in the cert is > > improper. For exmaple, in logs/A/error_log when the "A" > >cert is used, > > i see: > > > > [Mon Dec 09 23:04:32 2002] [warn] RSA server certificate > > CommonName (CN) `*.funkware.com' does NOT match server name!? > > > > The thing i noticed is that BOTH of the error logs for the two > > respective servers complain about the same name. (The CN > >in the error > > message for both servers will be the same (either *.funkware.com if > > the "A" Cert is used, or "newx.funkware.com" if the "B" > >cert is used). > > > > * If i use the openssl s_client to connect to the respective machines > > (either using DNS or using the IP address), the cert is always the > > same. > > > >Thanks again. > > > >If there's any more information I can provide, please let me know. > > > >...alex... > >______________________________________________________________________ > >Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >User Support Mailing List [EMAIL PROTECTED] > >Automated List Manager [EMAIL PROTECTED] > > > > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any mistransmission. > If you receive this message in error, please notify the sender urgently > and then immediately delete the message and any copies of it from your > system. Please also immediately destroy any hardcopies of the message. > You must not, directly or indirectly, use, disclose, distribute, print, > or copy any part of this message if you are not the intended recipient. > The sender's company reserves the right to monitor all e-mail > communications through their networks. Any views expressed in this > message are those of the individual sender, except where the message > states otherwise and the sender is authorised to state them to be the > views of the sender's company. > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
