Re: certificate weirdness
Hello Vlad, You are trying to use NameVirtualHost for ssl which will not work. Basically which cert does it use? The ssl connection needs to be setup before the site name (hence virtual host and cert) can be established by apache. You'll need two IPs, or use different ports (yuck). Regards Matt --- Vlad Ciubotariu [EMAIL PROTECTED] wrote: I'm doing something wrong in my config file. For some reason, when pointed to https://calendar.mydomain.ca the browser tells me the security certificate belongs to mail.mydomain.ca even though the two domains have been configured with different certificates. Could anyone shed some light, please? Thanks in advance. ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## IfDefine SSL Listen 80 Listen 443 /IfDefine ... NameVirtualHost *:80 NameVirtualHost *:443 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org Redirect / https://mail.mydomain.org/ /VirtualHost VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org Redirect / https://calendar.mydomain.org/ /VirtualHost ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex sem # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLRandomSeed startup file:/dev/arandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog logs/ssl_engine_log SSLLogLevel info /IfModule IfDefine SSL ## ## SSL Virtual Host Context ## VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/webmail.crt SSLCertificateKeyFile /etc/ssl/private/webmail.key Location / SSLRequireSsl /Location /VirtualHost VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/calendar.crt SSLCertificateKeyFile /etc/ssl/private/calendar.key Location / SSLRequireSsl /Location Directory /var/www/virthosts/calendar Order allow,deny Allow from all /Directory Location /cgi-bin/ SetHandler perl-script PerlHandler Apache::Registry #PerlHandler Apache::PerlRun Options ExecCGI PerlSendHeader On /Location /VirtualHost # VirtualHost _default_:443 # General setup for the virtual host #DocumentRoot /var/www/htdocs #ServerName new.host.name #ServerAdmin [EMAIL PROTECTED] #ErrorLog logs/error_log #TransferLog logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # Server Certificate: # Point
Re: certificate weirdness
I've finally got it to work. I possibly see why it didn't work from the first place. Mod_ssl handles encryption before httpd even sees the url. Thus I can't set certifaces in directory or name-based virtual containers. Thanks! On Wed, Jul 27, 2005 at 06:49:12AM -0700, Matt Stevenson wrote: Hello Vlad, You are trying to use NameVirtualHost for ssl which will not work. Basically which cert does it use? The ssl connection needs to be setup before the site name (hence virtual host and cert) can be established by apache. You'll need two IPs, or use different ports (yuck). Regards Matt --- Vlad Ciubotariu [EMAIL PROTECTED] wrote: I'm doing something wrong in my config file. For some reason, when pointed to https://calendar.mydomain.ca the browser tells me the security certificate belongs to mail.mydomain.ca even though the two domains have been configured with different certificates. Could anyone shed some light, please? Thanks in advance. ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## IfDefine SSL Listen 80 Listen 443 /IfDefine ... NameVirtualHost *:80 NameVirtualHost *:443 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org Redirect / https://mail.mydomain.org/ /VirtualHost VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org Redirect / https://calendar.mydomain.org/ /VirtualHost ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex sem # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLRandomSeed startup file:/dev/arandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog logs/ssl_engine_log SSLLogLevel info /IfModule IfDefine SSL ## ## SSL Virtual Host Context ## VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/webmail.crt SSLCertificateKeyFile /etc/ssl/private/webmail.key Location / SSLRequireSsl /Location /VirtualHost VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/calendar.crt SSLCertificateKeyFile /etc/ssl/private/calendar.key Location / SSLRequireSsl /Location Directory /var/www/virthosts/calendar Order allow,deny Allow from all /Directory Location /cgi-bin/ SetHandler perl-script PerlHandler Apache::Registry #PerlHandler Apache::PerlRun Options ExecCGI PerlSendHeader On /Location /VirtualHost # VirtualHost _default_:443 # General setup for the virtual host
certificate weirdness
I'm doing something wrong in my config file. For some reason, when pointed to https://calendar.mydomain.ca the browser tells me the security certificate belongs to mail.mydomain.ca even though the two domains have been configured with different certificates. Could anyone shed some light, please? Thanks in advance. ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## IfDefine SSL Listen 80 Listen 443 /IfDefine ... NameVirtualHost *:80 NameVirtualHost *:443 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org Redirect / https://mail.mydomain.org/ /VirtualHost VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org Redirect / https://calendar.mydomain.org/ /VirtualHost ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex sem # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLRandomSeed startup file:/dev/arandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog logs/ssl_engine_log SSLLogLevel info /IfModule IfDefine SSL ## ## SSL Virtual Host Context ## VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/webmail.crt SSLCertificateKeyFile /etc/ssl/private/webmail.key Location / SSLRequireSsl /Location /VirtualHost VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/calendar.crt SSLCertificateKeyFile /etc/ssl/private/calendar.key Location / SSLRequireSsl /Location Directory /var/www/virthosts/calendar Order allow,deny Allow from all /Directory Location /cgi-bin/ SetHandler perl-script PerlHandler Apache::Registry #PerlHandler Apache::PerlRun Options ExecCGI PerlSendHeader On /Location /VirtualHost # VirtualHost _default_:443 # General setup for the virtual host #DocumentRoot /var/www/htdocs #ServerName new.host.name #ServerAdmin [EMAIL PROTECTED] #ErrorLog logs/error_log #TransferLog logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. SSLCertificateFile/etc/ssl/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. SSLCertificateKeyFile /etc/ssl/private/server.key # Certificate Authority (CA): # Set the CA