Re: [users@httpd] Multi site SSL problems
On Fri, May 10, 2024 at 5:53 PM Tatsuki Makino wrote: > Hello. > > By the way, do you have the setting enabled to use the Host header used to > switch NameVirtualHost during TLS negotiation? > I don't know how to do that since the Japanese documentation is rarely > updated :) > Were those things implemented? > > Regards. > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > Tatsuki, You're thinking of SNI, and it works out of the box with OpenSSL 0.9.8f or later, and with NameVirtualHost *:443. So, again, I highly recommend using *:PORT to define all your vhosts, unless you know exactly what you are doing.
Re: [users@httpd] Multi site SSL problems
Hello. By the way, do you have the setting enabled to use the Host header used to switch NameVirtualHost during TLS negotiation? I don't know how to do that since the Japanese documentation is rarely updated :) Were those things implemented? Regards. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Multi site SSL problems
On Fri, May 10, 2024 at 4:10 PM John wrote: > On Fri, 2024-05-10 at 15:48 -0400, Sean Conner wrote: > > It was thus said that the Great Chris me once stated: > > > I set up each entry with but when I do that, the > > > second site will complain that the cert is for site1. So if I go to > > > site2.com, I get a browser error that the cert is for site1. It will > show > > > me the content for site1. > > > > On my development server, I have the following: > > > > > > ServerName playground.roswell.area51 > > SSLEngine on > > SSLCertificateFile /home/spc/web/playground/cert.pem > > SSLCertificateKeyFile /home/spc/web/playground/key.pem > > ... > > > > > > > > ServerName wiki.roswell.area51 > > SSLEngine on > > SSLCertificateFile /home/spc/web/wiki/cert.pem > > SSLCertificateKeyFile /home/spc/web/wiki/key.pem > > ... > > > > > > > I am not sure how to do this part: > > > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require > instead > > > I am running Apache 2.2, does it still apply? > > > It does not look like mod_access_compat is listed under mods-enabled > > > > That I don't remember as I've been running Apache 2.4 for a couple of > > years now. > > > > -spc > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > Typo in the 2nd virtual host "1932.168.1.10:" probably should be > "192.168.1.10" > > John > == > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > Show the apachectl -S output, and each vhost. Make sure that every single :443 vhost has SSLEngine on and SSLCertificateFile set.
Re: [users@httpd] Multi site SSL problems
On Fri, 2024-05-10 at 15:48 -0400, Sean Conner wrote: > It was thus said that the Great Chris me once stated: > > I set up each entry with but when I do that, the > > second site will complain that the cert is for site1. So if I go to > > site2.com, I get a browser error that the cert is for site1. It will show > > me the content for site1. > > On my development server, I have the following: > > > ServerName playground.roswell.area51 > SSLEngine on > SSLCertificateFile /home/spc/web/playground/cert.pem > SSLCertificateKeyFile /home/spc/web/playground/key.pem > ... > > > > ServerName wiki.roswell.area51 > SSLEngine on > SSLCertificateFile /home/spc/web/wiki/cert.pem > SSLCertificateKeyFile /home/spc/web/wiki/key.pem > ... > > > > I am not sure how to do this part: > > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require > > instead > > I am running Apache 2.2, does it still apply? > > It does not look like mod_access_compat is listed under mods-enabled > > That I don't remember as I've been running Apache 2.4 for a couple of > years now. > > -spc > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > Typo in the 2nd virtual host "1932.168.1.10:" probably should be "192.168.1.10" John == - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Multi site SSL problems
It was thus said that the Great Chris me once stated: > I set up each entry with but when I do that, the > second site will complain that the cert is for site1. So if I go to > site2.com, I get a browser error that the cert is for site1. It will show > me the content for site1. On my development server, I have the following: ServerName playground.roswell.area51 SSLEngine on SSLCertificateFile /home/spc/web/playground/cert.pem SSLCertificateKeyFile /home/spc/web/playground/key.pem ... ServerName wiki.roswell.area51 SSLEngine on SSLCertificateFile /home/spc/web/wiki/cert.pem SSLCertificateKeyFile /home/spc/web/wiki/key.pem ... > I am not sure how to do this part: > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead > I am running Apache 2.2, does it still apply? > It does not look like mod_access_compat is listed under mods-enabled That I don't remember as I've been running Apache 2.4 for a couple of years now. -spc - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] Multi site SSL problems
I found NameVirtualHost *:443 was commented out in ports.conf, I changed that. Now I am back to the ssl protocol error for the second site. From: Chris me Sent: Friday, May 10, 2024 8:40 AM To: users@httpd.apache.org Subject: RE: [users@httpd] Multi site SSL problems I set up each entry with but when I do that, the second site will complain that the cert is for site1. So if I go to site2.com, I get a browser error that the cert is for site1. It will show me the content for site1. I am not sure why the difference, my non ssl hosts, ie all work fine, each site gives me the correct content, so why does it not work for ? The Entries are ServerName www.site1.com<http://www.site1.com> ServerName www.site2.com<http://www.site2.com> I am not sure how to do this part: Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead I am running Apache 2.2, does it still apply? It does not look like mod_access_compat is listed under mods-enabled From: Frank Gingras mailto:thu...@apache.org>> Sent: Thursday, May 9, 2024 4:12 PM To: users@httpd.apache.org<mailto:users@httpd.apache.org> Subject: Re: [users@httpd] Multi site SSL problems On Thu, May 9, 2024 at 6:54 PM Chris me mailto:phunct...@hotmail.com>> wrote: Hi, I am having an issue trying to get multiple sites with their own SSL cert. I purchased AlphaSSL certs for them. The strange thing, the first cert works, the second gives me an ERR_SSL_PROTOCOL_ERROR, but only on some systems. This is what I am using now: ( Site1 is fine, Site2 gives me the error. I originally tried with NameVirtualHost *.443 And then But when I go to site2, it complains that the cert is invalid because it is using the cert from site1? ) NameVirtualHost 192.99.9.188:443<http://192.99.9.188:443> http://www.site1.com:443>> ServerName www.site1.com<http://www.site1.com> ServerAdmin webmas...@site1.com<mailto:webmas...@site1.com> DocumentRoot /home/httpd/sites/site1 Order allow,deny Allow from all SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/ssl/site1.ca/server.crt<http://site1.ca/server.crt> SSLCertificateKeyFile /etc/ssl/site1.ca/server.key<http://site1.ca/server.key> SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt<http://site1.ca/bundle.crt> http://www.site2.com:443>> ServerName www.site2.com<http://www.site2.com> ServerAdmin webmas...@site2.com<mailto:webmas...@site2.com> DocumentRoot /home/httpd/sites/site2 Order allow,deny Allow from all SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/ssl/site2.ca/server.crt<http://site2.ca/server.crt> SSLCertificateKeyFile /etc/ssl/site2.ca/server.key<http://site2.ca/server.key> SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt<http://site2.ca/bundle.crt> So many red flags here: - Always use *:PORT when defining a vhost, unless you know exactly what you are doing - Set the ServerName directive in every single vhost - Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead - Unload the mod_access_compat module when apachectl configtest passes Lastly, show the output from apachectl -S when the fixes are applied
RE: [users@httpd] Multi site SSL problems
I set up each entry with but when I do that, the second site will complain that the cert is for site1. So if I go to site2.com, I get a browser error that the cert is for site1. It will show me the content for site1. I am not sure why the difference, my non ssl hosts, ie all work fine, each site gives me the correct content, so why does it not work for ? The Entries are ServerName www.site1.com ServerName www.site2.com I am not sure how to do this part: Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead I am running Apache 2.2, does it still apply? It does not look like mod_access_compat is listed under mods-enabled From: Frank Gingras Sent: Thursday, May 9, 2024 4:12 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Multi site SSL problems On Thu, May 9, 2024 at 6:54 PM Chris me mailto:phunct...@hotmail.com>> wrote: Hi, I am having an issue trying to get multiple sites with their own SSL cert. I purchased AlphaSSL certs for them. The strange thing, the first cert works, the second gives me an ERR_SSL_PROTOCOL_ERROR, but only on some systems. This is what I am using now: ( Site1 is fine, Site2 gives me the error. I originally tried with NameVirtualHost *.443 And then But when I go to site2, it complains that the cert is invalid because it is using the cert from site1? ) NameVirtualHost 192.99.9.188:443<http://192.99.9.188:443> http://www.site1.com:443>> ServerName www.site1.com<http://www.site1.com> ServerAdmin webmas...@site1.com<mailto:webmas...@site1.com> DocumentRoot /home/httpd/sites/site1 Order allow,deny Allow from all SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/ssl/site1.ca/server.crt<http://site1.ca/server.crt> SSLCertificateKeyFile /etc/ssl/site1.ca/server.key<http://site1.ca/server.key> SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt<http://site1.ca/bundle.crt> http://www.site2.com:443>> ServerName www.site2.com<http://www.site2.com> ServerAdmin webmas...@site2.com<mailto:webmas...@site2.com> DocumentRoot /home/httpd/sites/site2 Order allow,deny Allow from all SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/ssl/site2.ca/server.crt<http://site2.ca/server.crt> SSLCertificateKeyFile /etc/ssl/site2.ca/server.key<http://site2.ca/server.key> SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt<http://site2.ca/bundle.crt> So many red flags here: - Always use *:PORT when defining a vhost, unless you know exactly what you are doing - Set the ServerName directive in every single vhost - Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead - Unload the mod_access_compat module when apachectl configtest passes Lastly, show the output from apachectl -S when the fixes are applied
Re: [users@httpd] Multi site SSL problems
On Thu, May 9, 2024 at 6:54 PM Chris me wrote: > Hi, I am having an issue trying to get multiple sites with their own SSL > cert. I purchased AlphaSSL certs for them. > > The strange thing, the first cert works, the second gives me an > ERR_SSL_PROTOCOL_ERROR, but only on some systems. > > > > This is what I am using now: > > > > ( > > Site1 is fine, Site2 gives me the error. > > > > I originally tried with NameVirtualHost *.443 > > And then > > But when I go to site2, it complains that the cert is invalid because it > is using the cert from site1? > > ) > > > > > > > > NameVirtualHost 192.99.9.188:443 > > > > > > ServerName www.site1.com > > ServerAdmin webmas...@site1.com > > DocumentRoot /home/httpd/sites/site1 > > > > > > Order allow,deny > > Allow from all > > > > > > SSLEngine on > > SSLProtocol all -SSLv2 -SSLv3 > > SSLCertificateFile/etc/ssl/site1.ca/server.crt > > SSLCertificateKeyFile /etc/ssl/site1.ca/server.key > > SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt > > > > > > > > ServerName www.site2.com > > ServerAdmin webmas...@site2.com > > DocumentRoot /home/httpd/sites/site2 > > > > > > Order allow,deny > > Allow from all > > > > > > SSLEngine on > > SSLProtocol all -SSLv2 -SSLv3 > > SSLCertificateFile/etc/ssl/site2.ca/server.crt > > SSLCertificateKeyFile /etc/ssl/site2.ca/server.key > > SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt > > > > > So many red flags here: - Always use *:PORT when defining a vhost, unless you know exactly what you are doing - Set the ServerName directive in every single vhost - Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead - Unload the mod_access_compat module when apachectl configtest passes Lastly, show the output from apachectl -S when the fixes are applied