Re: problem installing cert on virtual host

[Dan McComb]

Thanks Beau and Jeff for your help in resolving this.

I was able to get it working very quickly by assigning the second  
virtual host to listen on another port number.

Best,

/dan

On Friday, March 14, 2003, at 11:12  PM, Jeff wrote:

Actually, the answer is RTFM..

You can not have multiple SSL vhosts responding to one IP/port
combination..  The FIRST SSL vhost will ALWAYS respond when making the
connection.. This is due to how the protocol works..
Refer  
http://marc.theaimsgroup.com/?l=apache-modssl&m=98576871506980&w=2
for more info

Rgds
Jeff
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 15, 2003 4:47 PM
Subject: Re: problem installing cert on virtual host

On 14 Mar 2003 at 17:14, Dan McComb wrote:

Thanks Beau,

Here's the pertinent bits (this file may look a bit strange -- it's a
Mac OS X Server conf file, but functions in almost every way like
traditional http.conf file):
[...]
On Friday, March 14, 2003, at 04:58  PM, [EMAIL PROTECTED] wrote:

On 14 Mar 2003 at 16:20, Dan McComb wrote:

I've successfully installed one virtual host on my server to listen
on
port 443, and it's been running great. But when I added another
virtual
host directive to listen on same port further down in the file, I
find
that the first listener is the one that "picks up" the request.  
This
results in an error in IE: "the identity certificate name is not
correct." If I comment out the first virtual host, the problem
disappears and the second one works fine. I need them to work
together...

Anyone know how can I configure my virtual hosts/httpd.conf to  
avoid
this problem?

/dan mccomb

--------------------------------------------------------------------- 
-
--
------------
[...]
Hi -

I see nothing wrong with your conf file. I have some
suggestions:
* since your SSL servers work one at a time, perhaps
this is not an SSL problem. Remember, the first
vhost is the 'default': any request that does
not match a name (within that ip:port group)
is sent to that first server. Why don't you comment
out the SSL directives, change the ports to 80,
and see if you can browse to each vhost?
* in the same vein, is you bind (dns) server setup
OK?
* you may want to look at each server cert:

openssl rsa -noout -text -in <whetever>.crt

the subject CN should match the server name.

* if you certs are self-signed, your browser
will give you an error - that the CA is not
recognized as trusted - but everything else
should be OK if your CN matches the server
name.
Let me know how it goes...

Aloha => Beau;

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

------------------------------------------------------------------------ 
------------

Visual Contact
311 First Ave. S, Suite 200
Seattle, WA 98104
206.223.0417 Office
206.718.5361 Cell
[EMAIL PROTECTED]
http://www.visualcontact.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]