Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8e DAV/2 PHP/5.2.3
Not sure if this belongs here or in another mailing list (apache). I
like to know how I can setup subdomains with a wildcard certificate?
1)
Originally I had a couple of websites with ssl (https), each site with
its own ip-address and its own certificate. In an attempt to save on
IP-addresses, I thought that subdomains and a wildcard certificate would
allow me to use one ip-address (and therefore name-based virtual
hosting).
Is this the correct assumption? If it's correct, please read on. If this
is not correct, what to do to get it working?
2)
I've created a self-signed wildcard certificate. When I (re)start
apache, the following warnings occur:
[Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:33 2007] [warn] Init: SSL server IP/port conflict:
cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs.
tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79)
[Wed Nov 14 07:34:33 2007] [warn] Init: You should not use name-based
virtual hosts in conjunction with SSL!!
[Wed Nov 14 07:34:33 2007] [notice] Digest: generating secret for digest
authentication ...
[Wed Nov 14 07:34:33 2007] [notice] Digest: done
[Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:34 2007] [warn] Init: SSL server IP/port conflict:
cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs.
tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79)
How do I get rid of the first 2 warnings (and the repeats later on for
different subdomains)? Something I did wrong while creating the
certificate?
I do understand the cause of the third warning (and its repeats). This
would imply that wildcard certificates and subdomains using name-based
virtual hosting are not possible. Any way that I can work around this?
This is (part of) my /etc/httpd/extra-httpd-ssl.conf
NameVirtualHost *:443
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/httpd/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file: /var/run/httpd/ssl_mutex #no space between colon and
first /
# command centre
#<VirtualHost _default_:443>
<VirtualHost *:443>
DocumentRoot "/home/cc/www/ils/web"
ServerName cc.lbtd-techweb01
#ServerAlias cc.lbtd-techweb01
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/certificates/lbtd-techweb01.crt
SSLCertificateKeyFile /etc/httpd/certificates/lbtd-techweb01.key
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Directory "/home/cc/www/ils/web">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Wim Sturkenboom
_________________________________________________________________________________________________________________
Information contained in any e-mail or attachment from Multichoice Africa (Pty)
Ltd (MCA) is confidential and may also be
privileged or protected by other legal rules or law. You should not
disseminate, distribute or copy this e-mail. Any views
or opinions presented in this email are solely those of the author and do not
necessarily represent those of MCA. Employees
of MCA are expressly required not to make defamatory statements and not to
infringe or authorise any infringement of
copyright or any other legal right by email communications. Any such
communication is contrary to MCAs policy and outside
the scope of the employment of the individual concerned. MCA will not accept
any liability in respect of such
communication, and the employee responsible will be personally liable for any
damages or other liability arising from such
communication.
_________________________________________________________________________________________________________________
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
