>>-----Original Message-----
>>From: Tom Bartling [mailto:[EMAIL PROTECTED]
>>
>If you'd care to post your config or send it directly, I'll
>have a look and see if there's anything wrong with it.
There are several minor problems with your config which, taken together, may be adding
up to the confusing behaviour you are seeing. If you work through the following it may
improve matters:
General Strategy:
- Since your server has two IP addresses, use default IP addressing (i.e. listen to
all active IPs).
- Since you need VirtualHosting, use this throughout (i.e. lose the idea of a "main
server").
- Aim for multiple name-based VHs on port 80 and one single SSL VH on port 443.
Details:
1) Don't use "Port" and "Listen". These two directives are very similar and "Listen"
is preferred ("Port" is deprecated): Remove all "Port" directives.
2) Don't use domain names in Listens or VHs since this makes your config dependent on
DNS. Use default:
Listen secure.mintecommerce.com:443 -> Listen 443
<VirtualHost secure.mintecommerce.com:443> -> <VirtualHost *:443>
(NB - the only thing which should define the SSL VH is the port number).
3) Move "main server" into first VH container. At the moment, this has only a
ServerName - this is odd and I've no idea what apache would do in this case (I guess
you expect it to default to the "main server" - I wouldn't count on it). You can
achieve this simply by moving the "main" DocumentRoot into this VH:
<VirtualHost *>
ServerName www.mintecommerce.com
DocumentRoot "/usr/local/www/data"
</VirtualHost>
the other directives can remain outside where they will apply globally as appropriate.
4) To complete the encapsulation of HTTP and HTTPS, add port 80 to all HTTP VHs:
<VirtualHost *> -> <VirtualHost *:80>
(already done this for the SSL VH in (2) above).
Now try a restart without SSL and check the name-based VHs all work, including the
"main" server. If that's OK, restart with SSL and test https://www.mintecommerce.com/.
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>>
>>
>>
>>----- Original Message -----
>>From: "Boyle Owen" <[EMAIL PROTECTED]>
>>To: <[EMAIL PROTECTED]>
>>Sent: Wednesday, May 28, 2003 3:31 AM
>>Subject: RE: unknown protocol
>>
>>
>>Plain text please...
>>
>>It looks like you are not succeeding in starting an SSL VH.
>>
>>Looking at your config, there is no obvious error, although I
>>don't know
>>why you put the "Listen 80" inside the IfDefine - this would mean that
>>even plain HTTP wouldn't work unless you started with SSL.
>>
>>Just to be clear how it works, "apachectl startssl" causes the apache
>>control script to execute "httpd -DSSL". This starts apache with the
>>environment variable SSL defined. So when apache finds an
>><IfDefine SSL>
>>container, it evaluates the condition as "true" and so reads the
>>directives inside. This is the canonical way of selecting SSL.
>>
>>Of course, you don't need to bother with all of this. If you
>>put the SSL
>>VH outside the <IfDefine SSL> block (or just remove the <IfDefine SSL>
>>tags) then the SSL VH and its directives will fire up in a normal
>>"apachectl start".
>>
>>You might try this - just make sure you have a single VH on
>>port 443 and
>>a Listen 443 and it should startup. Be careful you don't have a plain
>>HTTP VH on port 443 - it could supersede the SSL VH. To test, what
>>happens if you make a plain HTTP request to port 443 (it shouldn't
>>work!)
>>
>>About the PHP warning - when you recompiled apache to include mod_ssl,
>>it patched the apache API to extend it to allow hooks into the OpenSSL
>>library (EAPI = Extended API). Since the PHP module was
>compiled before
>>this, it is expecting the standard API. Probably it will continue to
>>work since the EAPI is a superset of the API but you never
>>know if there
>>will be a conflict in some call somewhere (you'll get a seg fault if
>>there is). The safest thing to do is to recompile mod_php against the
>>new API.
>>
>>Rgds,
>>Owen Boyle
>>Disclaimer: Any disclaimer attached to this message may be ignored.
>>
>>
>>
>>-----Original Message-----
>>From: Tom Bartling [mailto:[EMAIL PROTECTED]
>>Sent: Mittwoch, 28. Mai 2003 07:51
>>To: [EMAIL PROTECTED]
>>Subject: unknown protocol
>>
>>
>>Hi,
>>
>>I am new to the list and relatively new to administering SSL,
>so please
>>forgive me if this is not the right place to ask this question.
>>
>>I am having trouble getting SSL to work. I'm on FreeBSD 4.5
>Stable with
>>apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2.
>>
>>Everything seems to have installed okay and I can run
>>apachectl startssl
>>without any problems, but I can't get SSL to actually work. When I try
>>to go the url via https, it immediately displays the dreaded
>"this page
>>cannot be displayed" message. When I run apachectl
>configtest, it spits
>>out the following:
>>
>>apachectl configtest
>>[Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so
>>uses plain Apache 1.3 API, this module might crash under EAPI! (please
>>recompile it with -DEAPI)
>>Syntax OK
>>
>>PHP works without any problems, so I'm not concerned about that at the
>>moment. The manual says to try:
>>
>>openssl s_client -connect localhost:443 -state -debug
>>
>>As an alternative, it suggests:
>>
>>curl https://localhost/
>>
>>Both display an error message:
>>
>>SSL: error:140770FC:SSL
>>routines:SSL23_GET_SERVER_HELLO:unknown protocol
>>
>>So, I'm thinkin' that the problem is in the httpd.conf file. A few
>>things that are in there of importance (excluding comments and all of
>>the other stuff) include:
>>
>>Port 80
>>
>><IfDefine SSL>
>>Listen 80
>>Listen 443
>></IfDefine>
>>
>><IfDefine SSL>
>>#<VirtualHost www.mintecommerce.com:443>
>>#<VirtualHost secure.mintecommerce.com:443>
>>#<VirtualHost mintecommerce.com:443>
>>#<VirtualHost *:443>
>><VirtualHost _default_:443>
>>
>>DocumentRoot "/usr/local/www/data"
>>ServerName www.mintecommerce.com
>>ServerAdmin [EMAIL PROTECTED]
>>ErrorLog /var/log/httpd-error.log
>>TransferLog /var/log/httpd-access.log
>>
>>SSLEngine on
>>SSLCipherSuite
>>ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
>>SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
>>SSLCACertificatePath /usr/local/etc/apache/ssl.crt
>>SSLCARevocationPath /usr/local/etc/apache/ssl.crl
>>SSLVerifyClient require
>></VirtualHost>
>></IfDefine>
>>
>>You can see where I tried different versions of the VirtualHost tag (I
>>did change the ServerName value for each variation). This is a server
>>that hosts several sites, but they all use the same IP, so all of the
>>VirtualHost tags are
>>
>><VirtualHost *>
>>...
>></VirtualHost>
>>
>>This seems to get the job done for the few sites on this one computer,
>>but now I need SSL. I'm at a loss and any help would be appreciated.
>>
>>TIA,
>>
>>Tom
>>Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
>>keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss
>>Exchange.
>>This e-mail is of a private and personal nature. It is not related to
>>the exchange or business activities of the SWX Swiss Exchange. Le
>>présent e-mail est un message privé et personnel, sans rapport avec
>>l'activité boursière de la SWX Swiss Exchange
>>
>>This message is for the named person's use only. It may contain
>>confidential, proprietary or legally privileged information. No
>>confidentiality or privilege is waived or lost by any mistransmission.
>>If you receive this message in error, please notify the
>sender urgently
>>and then immediately delete the message and any copies of it from your
>>system. Please also immediately destroy any hardcopies of the message.
>>You must not, directly or indirectly, use, disclose,
>distribute, print,
>>or copy any part of this message if you are not the intended
>recipient.
>>The sender's company reserves the right to monitor all e-mail
>>communications through their networks. Any views expressed in this
>>message are those of the individual sender, except where the message
>>states otherwise and the sender is authorised to state them to be the
>>views of the sender's company.
>>
>>
>>______________________________________________________________________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List [EMAIL PROTECTED]
>>Automated List Manager [EMAIL PROTECTED]
>>
>>______________________________________________________________________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List [EMAIL PROTECTED]
>>Automated List Manager [EMAIL PROTECTED]
>>
>Diese E-mail ist eine private und persönliche Kommunikation.
>Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der
>SWX Swiss Exchange. This e-mail is of a private and personal
>nature. It is not related to the exchange or business
>activities of the SWX Swiss Exchange. Le présent e-mail est un
>message privé et personnel, sans rapport avec l'activité
>boursière de la SWX Swiss Exchange
>
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur
Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. This e-mail is of a private
and personal nature. It is not related to the exchange or business activities of the
SWX Swiss Exchange. Le présent e-mail est un message privé et personnel, sans rapport
avec l'activité boursière de la SWX Swiss Exchange.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
