Certificate config problem

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C21E8C.E5593A40
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Hi all,

Apologies if this has been asked before - I'm very new to this list.

I'm running Apache 1.3.26 with mod-ssl 2.8.9-1.3.26. There are many domains
on the box in question (40ish) and 2 of them use SSL. For the sake of
argument let's call them example.com and example2.com - these are both
name-based virtual servers.

I've created certificates for them using the ssl.ca package - I created my
own root CA and then generated/signed certificates for both domains,
providing the correct CN in each case.

So we have example.com CA key signing server certificates for
www.example.com and www.example2.com.

Whenever I go to https://www.example.com/ - it works great. No problems
whatsoever. However with https://www.example2.com/ it seems to be using the
certificate for www.example.com - IE pops up the error saying that the name
on the cert doesn't match the site name.

The thing that is baffling me is that this *did* work at one point. I first
set up SSL and got it working perfectly for both domains around about July
last year - using whatever was the latest version at that point.

The ssl_engine_log file shows the following for a request for a single HTML
file on www.example2.com

[28/Jun/2002 10:14:04 01309] [info] Connection to child 6 established
(server www.example.com:443, client 217.135.39.70)
[28/Jun/2002 10:14:04 01309] [info] Seeding PRNG with 23177 bytes of
entropy
[28/Jun/2002 10:14:04 01309] [info] Connection: Client IP: 217.135.39.70,
Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
[28/Jun/2002 10:14:04 01309] [info] Connection to child 6 closed with
standard shutdown (server www.example.com:443, client 217.135.39.70)
[28/Jun/2002 10:14:06 01310] [info] Connection to child 7 established
(server www.example.com:443, client 217.135.39.70)
[28/Jun/2002 10:14:06 01310] [info] Seeding PRNG with 23177 bytes of
entropy
[28/Jun/2002 10:14:07 01310] [info] Connection: Client IP: 217.135.39.70,
Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
[28/Jun/2002 10:14:07 01310] [info] Initial (No.1) HTTPS request received
for child 7 (server www.example2.com:443)
[28/Jun/2002 10:14:07 01310] [info] Connection to child 7 closed with
unclean shutdown (server www.example2.com:443, client 217.135.39.70)

THe useful parts of my httpd.conf are in the attached file.

If anyone could help with this I'd be extremely grateful.

Cheers,
Jon.

------=_NextPart_000_0001_01C21E8C.E5593A40
Content-Type: text/plain;
name="ssl-conf.txt"
Content-Disposition: attachment;
filename="ssl-conf.txt"
Content-Transfer-Encoding: quoted-printable

Port 80
User nobody
Group nobody
ServerAdmin webmaster@example.com
ServerName www.example.com
DocumentRoot "/home/httpd/html"

## SSL Global Stuff

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
Listen x.x.x.x:80
Listen x.x.x.x:443
Listen x.x.x.y:80




SSLPassPhraseDialog builtin
#SSLSessionCache none
#SSLSessionCache shmht:logs/ssl_scache(512000)
#SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300

SSLMutex file:logs/ssl_mutex

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

SSLLog logs/ssl_engine_log
SSLLogLevel info



### Section 3: Virtual Hosts
NameVirtualHost x.x.x.x:80
NameVirtualHost x.x.x.x:443


#
#


DocumentRoot /home/httpd/html
ServerName www.example.com
....



DocumentRoot /home/httpd/html
ServerName www.example.com
....

SSLEngine on
SSLCipherSuite =
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /etc/httpd/conf/www.example.com.crt
SSLCertificateKeyFile /etc/httpd/conf/www.example.com.key


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0




DocumentRoot /home/jon/domains/example2.com
ServerName www.example2.com
ServerAdmin webmaster@example2.com
....



DocumentRoot /home/jon/domains/example2.com
ServerName www.example2.com
ServerAdmin webmaster@example2.com
....

SSLEngine on
SSLCipherSuite =
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /etc/httpd/conf/www.example2.com.crt
SSLCertificateKeyFile /etc/httpd/conf/www.example2.com.key


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0




------=_NextPart_000_0001_01C21E8C.E5593A40--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Certificate config problem

Hi Jon!
Your problem lies in that you have name-based and not IP based virtual host
for the ssl ones!
The faq at modssl explains better why....
change it to 2 ip based and your in the clear!
/ HTH
Jimmy

At 10:16 2002-06-28 +0100, you wrote:
>Hi all,
>
>Apologies if this has been asked before - I'm very new to this list.
>
>I'm running Apache 1.3.26 with mod-ssl 2.8.9-1.3.26. There are many domains
>on the box in question (40ish) and 2 of them use SSL. For the sake of
>argument let's call them example.com and example2.com - these are both
>name-based virtual servers.
>
>I've created certificates for them using the ssl.ca package - I created my
>own root CA and then generated/signed certificates for both domains,
>providing the correct CN in each case.
>
>So we have example.com CA key signing server certificates for
>www.example.com and www.example2.com.
>
>Whenever I go to https://www.example.com/ - it works great. No problems
>whatsoever. However with https://www.example2.com/ it seems to be using the
>certificate for www.example.com - IE pops up the error saying that the name
>on the cert doesn't match the site name.
>
>The thing that is baffling me is that this *did* work at one point. I first
>set up SSL and got it working perfectly for both domains around about July
>last year - using whatever was the latest version at that point.
>
>The ssl_engine_log file shows the following for a request for a single HTML
>file on www.example2.com
>
>[28/Jun/2002 10:14:04 01309] [info] Connection to child 6 established
>(server www.example.com:443, client 217.135.39.70)
>[28/Jun/2002 10:14:04 01309] [info] Seeding PRNG with 23177 bytes of
>entropy
>[28/Jun/2002 10:14:04 01309] [info] Connection: Client IP: 217.135.39.70,
>Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
>[28/Jun/2002 10:14:04 01309] [info] Connection to child 6 closed with
>standard shutdown (server www.example.com:443, client 217.135.39.70)
>[28/Jun/2002 10:14:06 01310] [info] Connection to child 7 established
>(server www.example.com:443, client 217.135.39.70)
>[28/Jun/2002 10:14:06 01310] [info] Seeding PRNG with 23177 bytes of
>entropy
>[28/Jun/2002 10:14:07 01310] [info] Connection: Client IP: 217.135.39.70,
>Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
>[28/Jun/2002 10:14:07 01310] [info] Initial (No.1) HTTPS request received
>for child 7 (server www.example2.com:443)
>[28/Jun/2002 10:14:07 01310] [info] Connection to child 7 closed with
>unclean shutdown (server www.example2.com:443, client 217.135.39.70)
>
>THe useful parts of my httpd.conf are in the attached file.
>
>If anyone could help with this I'd be extremely grateful.
>
>Cheers,
>Jon.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Certificate config problem

I noticed you said you used the ssl.ca package to create a root CA etc. What
is this package and where can I get it?

The issue I am running into is similar. I produced self sighed certs using
openssl but when I connect to the site with IE since it isn't in its root CA
list I get the pop-up saying its untrusted.

Did you get around this? If so how? Thanks much.

-Noah

> -----Original Message-----
> From: Jon Still [mailto:jon-pop@tertial.org]
> Sent: Friday, June 28, 2002 5:17 AM
> To: modssl-users@modssl.org
> Subject: Certificate config problem
>
> Hi all,
>
> Apologies if this has been asked before - I'm very new to this list.
>
> I'm running Apache 1.3.26 with mod-ssl 2.8.9-1.3.26. There are many
> domains
> on the box in question (40ish) and 2 of them use SSL. For the sake of
> argument let's call them example.com and example2.com - these are both
> name-based virtual servers.
>
> I've created certificates for them using the ssl.ca package - I created my
> own root CA and then generated/signed certificates for both domains,
> providing the correct CN in each case.
>
> So we have example.com CA key signing server certificates for
> www.example.com and www.example2.com.
>
> Whenever I go to https://www.example.com/ - it works great. No problems
> whatsoever. However with https://www.example2.com/ it seems to be using
> the
> certificate for www.example.com - IE pops up the error saying that the
> name
> on the cert doesn't match the site name.
>
> The thing that is baffling me is that this *did* work at one point. I
> first
> set up SSL and got it working perfectly for both domains around about July
> last year - using whatever was the latest version at that point.
>
> The ssl_engine_log file shows the following for a request for a single
> HTML
> file on www.example2.com
>
> [28/Jun/2002 10:14:04 01309] [info] Connection to child 6 established
> (server www.example.com:443, client 217.135.39.70)
> [28/Jun/2002 10:14:04 01309] [info] Seeding PRNG with 23177 bytes of
> entropy
> [28/Jun/2002 10:14:04 01309] [info] Connection: Client IP: 217.135.39.70,
> Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
> [28/Jun/2002 10:14:04 01309] [info] Connection to child 6 closed with
> standard shutdown (server www.example.com:443, client 217.135.39.70)
> [28/Jun/2002 10:14:06 01310] [info] Connection to child 7 established
> (server www.example.com:443, client 217.135.39.70)
> [28/Jun/2002 10:14:06 01310] [info] Seeding PRNG with 23177 bytes of
> entropy
> [28/Jun/2002 10:14:07 01310] [info] Connection: Client IP: 217.135.39.70,
> Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
> [28/Jun/2002 10:14:07 01310] [info] Initial (No.1) HTTPS request received
> for child 7 (server www.example2.com:443)
> [28/Jun/2002 10:14:07 01310] [info] Connection to child 7 closed with
> unclean shutdown (server www.example2.com:443, client 217.135.39.70)
>
> THe useful parts of my httpd.conf are in the attached file.
>
> If anyone could help with this I'd be extremely grateful.
>
> Cheers,
> Jon.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Certificate config problem

Noah,

> I noticed you said you used the ssl.ca package to create a root
> CA etc. What
> is this package and where can I get it?

The ssl.ca package is essentially a set of openssl wrapper scripts for
acting as a simple CA. It just saves you having to remember the complicated
openssl commands to gen/sign certs.

http://www.openssl.org/contrib/

> The issue I am running into is similar. I produced self sighed certs using
> openssl but when I connect to the site with IE since it isn't in
> its root CA
> list I get the pop-up saying its untrusted.

You will *still* have the issue with IE because your root CA is not
recognised by the browser. You *can* however take the ca.crt file produced
by ssl.ca/openssl and import this into IE. This will prevent the error
message that there is no certification chain.

Hope this helps.

Cheers,
Jon.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org