Re: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Wed, 14 Dec 2005, Joe Orton wrote: None of it makes sense :) How is this bundle'o'stuff included in httpd.conf? Include /etc/httpd/sites-enabled/[^.#]* Are you using vendor packages or a build from tarball (I guess Debian from the layout)? The server that first showed the problems was a debian one. I did all the stripping down on redhat (fedora 4), and that still showed the problem, so I don't think it's package specific Nick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Fri, Dec 09, 2005 at 05:59:21PM +, Nick Burch wrote: From this, I see all my vhosts are defined, and correctly set for SSL/not SSL. During the loading iteration, it loads one certificate+key fine. Then it loads the second. After that, no more vhosts are checked! It seems therefore that it's dropping out of the vhost iteration early for some reason, and hence not loading all the certificates+keys. Have you got a minimal configuration which reproduces this? That would be the first step to tracking this down. Regards, joe - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Wed, 14 Dec 2005, Joe Orton wrote: On Fri, Dec 09, 2005 at 05:59:21PM +, Nick Burch wrote: From this, I see all my vhosts are defined, and correctly set for SSL/not SSL. During the loading iteration, it loads one certificate+key fine. Then it loads the second. After that, no more vhosts are checked! It seems therefore that it's dropping out of the vhost iteration early for some reason, and hence not loading all the certificates+keys. Have you got a minimal configuration which reproduces this? That would be the first step to tracking this down. Alas no. I created a minimal config, and that one worked just fine. Even commenting out one vhost is enough to get it to work, so I think it's quite an obscure bug to trip :( I'm going to try putting the config files which show the issue onto a test server (they're on a live one currently), then remove stuff so they're still showing it, but are much simpler. I'll post these if I can get it working Nick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Wed, 14 Dec 2005, Nick Burch wrote: I'm going to try putting the config files which show the issue onto a test server (they're on a live one currently), then remove stuff so they're still showing it, but are much simpler. I'll post these if I can get it working The config is still a bit complex, but it's getting there I've found something else though - if I make all my private keys unencrypted, it works fine. As soon as I have one key encrypted, it breaks (with the usual Oops, no RSA or DSA server certificate found?), having neglected to complete the vhost loop at line 174 of ssl_engine_pphrase.c I'll keep fighting with the config, and see if I can get something postable Nick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Wed, 14 Dec 2005, Nick Burch wrote: The config is still a bit complex, but it's getting there OK, config is attached. Drop it into a largely fresh /etc/apache2/ Three of the private keys are encrypted, all with the password test Apache will load keys+certs for webmail.test, melody.test, fluffy-internal.test. It won't get around to loading keys+certs for fluffy-b.test, fluffy-a.test or nems.test, and hence will bomb out. Shout if any of it doesn't make sense Nick httpd-simple.tar.gz Description: GNU Zip compressed data - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Wed, Dec 14, 2005 at 06:16:03PM +, Nick Burch wrote: On Wed, 14 Dec 2005, Nick Burch wrote: The config is still a bit complex, but it's getting there OK, config is attached. Drop it into a largely fresh /etc/apache2/ Three of the private keys are encrypted, all with the password test Apache will load keys+certs for webmail.test, melody.test, fluffy-internal.test. It won't get around to loading keys+certs for fluffy-b.test, fluffy-a.test or nems.test, and hence will bomb out. Shout if any of it doesn't make sense None of it makes sense :) How is this bundle'o'stuff included in httpd.conf? Are you using vendor packages or a build from tarball (I guess Debian from the layout)? There are a couple of obscure mod_ssl problems which can be caused by bad packaging. joe - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Wed, 7 Dec 2005, Nick Burch wrote: I'm also half tempted to try and make that error message more useful. Anyone know much about that area of code, or should I just dive in? I've done this. I still haven't quite figured out my problem, but I have narrowed it down quite a bit. Now to go investigate why my certificate isn't making it into mc-tPublicCert Anyway, this patch will make ssl_engine_init.c produce much more helpful debug when loading certificates: it will let you know what certificates it does load, and if it can't find a RSA or DSA certificate, it'll tell you what ones it does know about. --- ssl_engine_init.c.sav 2005-12-09 16:36:21.026192705 + +++ ssl_engine_init.c 2005-12-09 17:17:45.014684541 + @@ -710,11 +710,13 @@ X509 *cert; if (!(asn1 = ssl_asn1_table_get(mc-tPublicCert, id))) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +No %s server certificate exists for %s, type, id); return FALSE; } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - Configuring %s server certificate, type); + Configuring %s server certificate for %s, type, id); ptr = asn1-cpData; if (!(cert = d2i_X509(NULL, ptr, asn1-nData))) { @@ -862,6 +864,10 @@ int i; int have_rsa, have_dsa; +SSLModConfigRec *mc = myModConfig(s); + const void *key; + apr_hash_index_t *hi; + rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA); dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA); @@ -871,6 +877,19 @@ if (!(have_rsa || have_dsa)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, Oops, no RSA or DSA server certificate found?!); +ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, +Unable to load certificate for vhost %s, + vhost_id); + + // Print out, at debug, what certificates are defined + for (hi = apr_hash_first(p, mc-tPublicCert); hi; hi = apr_hash_next(hi)) { + apr_hash_this(hi, key, NULL, NULL); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + I know about certificate '%s', key); + } + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +No further certificates known about); + ssl_die(); } - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Fri, 9 Dec 2005, Nick Burch wrote: On Wed, 7 Dec 2005, Nick Burch wrote: I'm also half tempted to try and make that error message more useful. Anyone know much about that area of code, or should I just dive in? I've done this. I still haven't quite figured out my problem, but I have narrowed it down quite a bit. Now to go investigate why my certificate isn't making it into mc-tPublicCert Any mod_ssl experts about? I think something very odd is going on during certificate/key loading. I've added a bit more debugging into ssl_pphrase_Handle of ssl_engine_pphrase.c. Before doing the normal vhost iteration, I'm iterating over all the vhosts, printing out their name + if they have SSL enabled. Then, I've got the main vhost iteration loop to print out if it's going to skip a vhost. From this, I see all my vhosts are defined, and correctly set for SSL/not SSL. During the loading iteration, it loads one certificate+key fine. Then it loads the second. After that, no more vhosts are checked! It seems therefore that it's dropping out of the vhost iteration early for some reason, and hence not loading all the certificates+keys. Can anyone comment on this? The changes I've made to ssl_engine_pphrase.c to show this info are below. Thanks Nick --- ssl_engine_pphrase.c.sav2005-12-09 17:29:33.0 + +++ ssl_engine_pphrase.c2005-12-09 17:58:31.704577206 + @@ -173,13 +173,26 @@ */ for (pServ = s; pServ != NULL; pServ = pServ-next) { sc = mySrvConfig(pServ); +cpVHostID = ssl_util_vhostid(p, pServ); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, pServ, + SSL on vhost %s: %d, + cpVHostID, + sc-enabled); + } +for (pServ = s; pServ != NULL; pServ = pServ-next) { +sc = mySrvConfig(pServ); +cpVHostID = ssl_util_vhostid(p, pServ); -if (!sc-enabled) +if (!sc-enabled) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, pServ, + SSL not enabled on vhost %s, skipping SSL setup for it, + cpVHostID ); continue; + } -cpVHostID = ssl_util_vhostid(p, pServ); ap_log_error(APLOG_MARK, APLOG_INFO, 0, pServ, - Loading certificate private key of SSL-aware server); + Loading certificate private key of SSL-aware server %s, +cpVHostID); /* * Read in server certificate(s): This is the easy part @@ -236,6 +249,10 @@ ucp = ssl_asn1_table_set(mc-tPublicCert, cp, length); (void)i2d_X509(pX509Cert, ucp); /* 2nd arg increments */ + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, pServ, + Loaded certificate from %s, +sc-server-pks-cert_files[0]); + /* * Free the X509 structure - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
The combination of name-based virtual hosting and SSL cannot possibly work. Normally, in such a configuration the request will be handled by the first of the virtual hosts that match the IP:port of the request regardless of the ServerName. I believe that if you execute apachectl configtest, or alternatively $HTTPD -t -D DUMP_VHOSTS -f /path/to/httpd.conf, you will get an overview of all the configured virtual hosts: bash-2.03$ apachectl configtest VirtualHost configuration: 192.168.1.10:443 sweetn.sour.com (/u01/apachetest/conf/custom.conf:82) 192.168.1.11:*is a NameVirtualHost default server labelle16.toto.fr (/u01/apachetest/conf/custom.conf:20) port * namevhost labelle16.toto.fr (/u01/apachetest/conf/custom.conf:20) Syntax OK bash-2.03$ This might give you a clue as to what is happening and why you get the error. However, again, SSL and name-based virtual hosting does not work because the Host header cannot possibly be known to the server until the SSL session has been established, and the SSL session needs a certificate to be established and for that purpose needs to know the value of the host header in order to know what certificate to use. It's a catch 22... -ascs -Original Message- From: Nick Burch [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 7:53 PM To: users@httpd.apache.org Subject: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?! Hi I'm having trouble when trying to combine NameVirtualHosting on one SSL IP, and per-IP virtual hosting for others. My ideal setup is: NameVirtualHost *:80 (lots of virtual hosts) NameVirtualHost 192.168.1.50:443 (2 virtual hosts, 1 wildcard certificate used for both virtual hosts) VirtualHost's on 192.168.1.51:443, 192.168.1.52:443 Under this configuration, when I try to start apache, it fails with [error] Oops, no RSA or DSA server certificate found?!. Even under Debug, it fails to tell me which certificate it hit this on. If I run it with only one virtual host active on 192.168.1.50:443 (the SSL NameVirtualHost), everything works fine. I can access all 3 SSL sites. If I disable the SSL virtual hosts on 192.168.1.51:443 and 192.168.1.52:443, everything works fine. I can access both the SSL sites on 192.168.1.50, and the name virtual hosting behaves as expected. As soon as I try with both name and non name SSL virtual hosts, apache fails to start with: [error] Oops, no RSA or DSA server certificate found?! Is this a known problem? Can anyone suggest any workarounds (other than not using name virtual hosting on that one IP)? Thanks Nick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Wed, 7 Dec 2005, Axel-Stéphane SMORGRAV wrote: This might give you a clue as to what is happening and why you get the error. That all shows everything as expected However, again, SSL and name-based virtual hosting does not work because the Host header cannot possibly be known to the server until the SSL session has been established, and the SSL session needs a certificate to be established and for that purpose needs to know the value of the host header in order to know what certificate to use. Ah, but I have a wildcard certificate. So, all the SSL sites hosted on this one IP can work with the same certificate. If I setup my server with only the name based virtual hosting for SSL, then those sites sharing a certificate do work fine. The problem comes if I have one IP doing name based virtual hosting for SSL *with multiple sites active* and other IPs doing single virtual host per ip SSL. In this situation, Apache is getting all confused, and giving the error. If I have only IP virtual hosting for SSL, apache works. If I have IP virtual hosting for SSL on most IPs, name virtual hosting on another BUT only 1 site active, that works. If I only have name virtual hosting for SSL, then that works. Nick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
I think you need to post the VH segments from your config... Your set up is clearly quite complicated and it's impossible to see what the error is based just on descriptions. My interpretation so far is that you have a VH somewhere which is defined as SSL but which does not contain an SSLCertificateFile directive. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: Nick Burch [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 7. Dezember 2005 11:52 To: users@httpd.apache.org Subject: RE: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?! On Wed, 7 Dec 2005, Axel-Stéphane SMORGRAV wrote: This might give you a clue as to what is happening and why you get the error. That all shows everything as expected However, again, SSL and name-based virtual hosting does not work because the Host header cannot possibly be known to the server until the SSL session has been established, and the SSL session needs a certificate to be established and for that purpose needs to know the value of the host header in order to know what certificate to use. Ah, but I have a wildcard certificate. So, all the SSL sites hosted on this one IP can work with the same certificate. If I setup my server with only the name based virtual hosting for SSL, then those sites sharing a certificate do work fine. The problem comes if I have one IP doing name based virtual hosting for SSL *with multiple sites active* and other IPs doing single virtual host per ip SSL. In this situation, Apache is getting all confused, and giving the error. If I have only IP virtual hosting for SSL, apache works. If I have IP virtual hosting for SSL on most IPs, name virtual hosting on another BUT only 1 site active, that works. If I only have name virtual hosting for SSL, then that works. Nick Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
On Wed, 7 Dec 2005, Boyle Owen wrote: I think you need to post the VH segments from your config... I'd rather not clutter up the list, I do have quite a few of them... Your set up is clearly quite complicated and it's impossible to see what the error is based just on descriptions. My interpretation so far is that you have a VH somewhere which is defined as SSL but which does not contain an SSLCertificateFile directive. They all do, and here's how I can be sure: SSL-A - virtual host on .20:443 SSL-B - virutal host on .21:443 SSL-C - virtual host on .22:443 .23:443 name virutal host SSL-D name virtual host SSL-E name virtual host SSL-A + SSL-B + SSL-C works SSL-A + SSL-B + SSL-C + SSL-D works SSL-D + SSL-E works SSL-A + SSL-B + SSL-C + SSL-D + SSL-E fails with Oops, no RSA or DSA server certificate found?! So each individual virtual host works on its own If no-one else has attempted anything like this, I'll put together a simple set of config files + certifcates + keys for people to play with I'm also half tempted to try and make that error message more useful. Anyone know much about that area of code, or should I just dive in? Cheers Nick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
Hi I'm having trouble when trying to combine NameVirtualHosting on one SSL IP, and per-IP virtual hosting for others. My ideal setup is: NameVirtualHost *:80 (lots of virtual hosts) NameVirtualHost 192.168.1.50:443 (2 virtual hosts, 1 wildcard certificate used for both virtual hosts) VirtualHost's on 192.168.1.51:443, 192.168.1.52:443 Under this configuration, when I try to start apache, it fails with [error] Oops, no RSA or DSA server certificate found?!. Even under Debug, it fails to tell me which certificate it hit this on. If I run it with only one virtual host active on 192.168.1.50:443 (the SSL NameVirtualHost), everything works fine. I can access all 3 SSL sites. If I disable the SSL virtual hosts on 192.168.1.51:443 and 192.168.1.52:443, everything works fine. I can access both the SSL sites on 192.168.1.50, and the name virtual hosting behaves as expected. As soon as I try with both name and non name SSL virtual hosts, apache fails to start with: [error] Oops, no RSA or DSA server certificate found?! Is this a known problem? Can anyone suggest any workarounds (other than not using name virtual hosting on that one IP)? Thanks Nick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Problem when mixing NameVirtualHost + non with SSL - Oops, no RSA or DSA server certificate found?!
I remember that the SSL need a certificate. Have you created it ?2005/12/7, Nick Burch [EMAIL PROTECTED]: HiI'm having trouble when trying to combine NameVirtualHosting on one SSLIP, and per-IP virtual hosting for others.My ideal setup is:NameVirtualHost *:80 (lots of virtual hosts)NameVirtualHost 192.168.1.50:443 (2 virtual hosts, 1 wildcard certificate used for both virtual hosts)VirtualHost's on 192.168.1.51:443 , 192.168.1.52:443Under this configuration, when I try to start apache, it fails with[error] Oops, no RSA or DSA server certificate found?!. Even under Debug, it fails to tell me which certificate it hit this on.If I run it with only one virtual host active on 192.168.1.50:443 (the SSLNameVirtualHost), everything works fine. I can access all 3 SSL sites. If I disable the SSL virtual hosts on 192.168.1.51:443 and192.168.1.52:443, everything works fine. I can access both the SSL sites on 192.168.1.50, and the name virtual hosting behaves as expected.As soon as I try with both name and non name SSL virtual hosts, apachefails to start with:[error] Oops, no RSA or DSA server certificate found?! Is this a known problem? Can anyone suggest any workarounds (other thannot using name virtual hosting on that one IP)?ThanksNick- The official User-To-User support forum of the Apache HTTP Server Project.See URL:http://httpd.apache.org/userslist.html for more info.To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]