problem installing cert on virtual host

I've successfully installed one virtual host on my server to listen on
port 443, and it's been running great. But when I added another virtual
host directive to listen on same port further down in the file, I find
that the first listener is the one that "picks up" the request. This
results in an error in IE: "the identity certificate name is not
correct." If I comment out the first virtual host, the problem
disappears and the second one works fine. I need them to work
together...

Anyone know how can I configure my virtual hosts/httpd.conf to avoid
this problem?

/dan mccomb

------------------------------------------------------------ ------------
------------

Visual Contact
311 First Ave. S, Suite 200
Seattle, WA 98104

206.223.0417 Office
206.718.5361 Cell

dan@visualcontact.com
http://www.visualcontact.com


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: problem installing cert on virtual host

On 14 Mar 2003 at 16:20, Dan McComb wrote:

> I've successfully installed one virtual host on my server to listen on
> port 443, and it's been running great. But when I added another virtual
> host directive to listen on same port further down in the file, I find
> that the first listener is the one that "picks up" the request. This
> results in an error in IE: "the identity certificate name is not
> correct." If I comment out the first virtual host, the problem
> disappears and the second one works fine. I need them to work
> together...
>
> Anyone know how can I configure my virtual hosts/httpd.conf to avoid
> this problem?
>
> /dan mccomb
>
> ------------------------------------------------------------ ------------
> ------------
>

Hi - I'm new to mod_ssl, but have just successfully
done what you are describing. Can you post
the pertianant part of you httpd.conf?

Also - do you point to each servers' certificate
and private key within each vhost with the
SSLCertuficateFile and
CCLCertificateKeyFile directives?

Aloha => Beau;

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: problem installing cert on virtual host

Thanks Beau,

Here's the pertinent bits (this file may look a bit strange -- it's a
Mac OS X Server conf file, but functions in almost every way like
traditional http.conf file):

#
NameVirtualHost 63.231.43.185:443
Listen 63.231.43.185:443

ServerName ncascades.org
#WebPerfCacheEnable Off
#SiteAutomaticallyDisabled Off
ServerAdmin dan@visualcontact.com
DocumentRoot "/Volumes/Bigone/Accounts/nci/Sites"
DirectoryIndex index.html index.ldmx
CustomLog "/Volumes/Bigone/Accounts/nci/Logs/access_log" combined
ErrorLog "/Volumes/Bigone/Accounts/nci/Logs/error_log"

SSLEngine On
SSLLog "/private/var/log/httpd/ssl_engine_log"
#SSLCertificateChainFile "/private/etc/httpd/ssl.crt/ca.crt159"
SSLCertificateFile "/private/etc/httpd/ssl.crt/server.crt159"
SSLCertificateKeyFile "/private/etc/httpd/ssl.key/server.key159"
SSLCipherSuite "RSA:-HIGH:-MEDIUM:-LOW:+EXP"
#SSLPassPhrase ncascades.org:443 "blahblah"


DAVLockDB "/private/var/run/davlocks/.davlock159"
DAVMinTimeout 600


Options All +MultiViews +ExecCGI -Indexes
AllowOverride All

DAV Off


#

AuthName "ncascades.org"
AuthType Basic

Require no-user


#

#

#
#NameVirtualHost 63.231.43.185:443
#Listen 63.231.43.185:443

ServerName www.pacific-papers.com
#WebPerfCacheEnable Off
#SiteAutomaticallyDisabled Off
ServerAdmin dan@visualcontact.com
DocumentRoot "/Volumes/Bigone/Accounts/pacific_paper/Sites"
DirectoryIndex index.html index.ldmx
CustomLog "/Volumes/Bigone/Accounts/nci/Logs/access_log" combined
ErrorLog "/Volumes/Bigone/Accounts/nci/Logs/error_log"

SSLEngine On
SSLLog "/private/var/log/httpd/ssl_engine_log"
#SSLCertificateChainFile "/private/etc/httpd/ssl.crt/ca.crt160"
SSLCertificateFile "/private/etc/httpd/ssl.crt/server.crt160"
SSLCertificateKeyFile "/private/etc/httpd/ssl.key/server.key160"
SSLCipherSuite "RSA:-HIGH:-MEDIUM:-LOW:+EXP"
#SSLPassPhrase www.pacific-papers.com:443 "blahblah"


DAVLockDB "/private/var/run/davlocks/.davlock160"
DAVMinTimeout 600


Options All +MultiViews +ExecCGI -Indexes
AllowOverride All

DAV Off


#

AuthName "www.pacific-papers.com"
AuthType Basic

Require no-user


#

#


On Friday, March 14, 2003, at 04:58 PM, beau@beaucox.com wrote:

> On 14 Mar 2003 at 16:20, Dan McComb wrote:
>
>> I've successfully installed one virtual host on my server to listen on
>> port 443, and it's been running great. But when I added another
>> virtual
>> host directive to listen on same port further down in the file, I find
>> that the first listener is the one that "picks up" the request. This
>> results in an error in IE: "the identity certificate name is not
>> correct." If I comment out the first virtual host, the problem
>> disappears and the second one works fine. I need them to work
>> together...
>>
>> Anyone know how can I configure my virtual hosts/httpd.conf to avoid
>> this problem?
>>
>> /dan mccomb
>>
>> ------------------------------------------------------------ ----------
>> --
>> ------------
>>
>
> Hi - I'm new to mod_ssl, but have just successfully
> done what you are describing. Can you post
> the pertianant part of you httpd.conf?
>
> Also - do you point to each servers' certificate
> and private key within each vhost with the
> SSLCertuficateFile and
> CCLCertificateKeyFile directives?
>
> Aloha => Beau;
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>

------------------------------------------------------------ ------------
------------

Visual Contact
311 First Ave. S, Suite 200
Seattle, WA 98104

206.223.0417 Office
206.718.5361 Cell

dan@visualcontact.com
http://www.visualcontact.com


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: problem installing cert on virtual host

On 14 Mar 2003 at 17:14, Dan McComb wrote:

> Thanks Beau,
>
> Here's the pertinent bits (this file may look a bit strange -- it's a
> Mac OS X Server conf file, but functions in almost every way like
> traditional http.conf file):
> [...]
>
> On Friday, March 14, 2003, at 04:58 PM, beau@beaucox.com wrote:
>
> > On 14 Mar 2003 at 16:20, Dan McComb wrote:
> >
> >> I've successfully installed one virtual host on my server to listen on
> >> port 443, and it's been running great. But when I added another
> >> virtual
> >> host directive to listen on same port further down in the file, I find
> >> that the first listener is the one that "picks up" the request. This
> >> results in an error in IE: "the identity certificate name is not
> >> correct." If I comment out the first virtual host, the problem
> >> disappears and the second one works fine. I need them to work
> >> together...
> >>
> >> Anyone know how can I configure my virtual hosts/httpd.conf to avoid
> >> this problem?
> >>
> >> /dan mccomb
> >>
> >> ------------------------------------------------------------ ----------
> >> --
> >> ------------
> >>
> > [...]

Hi -

I see nothing wrong with your conf file. I have some
suggestions:

* since your SSL servers work one at a time, perhaps
this is not an SSL problem. Remember, the first
vhost is the 'default': any request that does
not match a name (within that ip:port group)
is sent to that first server. Why don't you comment
out the SSL directives, change the ports to 80,
and see if you can browse to each vhost?

* in the same vein, is you bind (dns) server setup
OK?

* you may want to look at each server cert:

openssl rsa -noout -text -in .crt

the subject CN should match the server name.

* if you certs are self-signed, your browser
will give you an error - that the CA is not
recognized as trusted - but everything else
should be OK if your CN matches the server
name.

Let me know how it goes...

Aloha => Beau;

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: problem installing cert on virtual host

Actually, the answer is RTFM..

You can not have multiple SSL vhosts responding to one IP/port
combination.. The FIRST SSL vhost will ALWAYS respond when making the
connection.. This is due to how the protocol works..

Refer http://marc.theaimsgroup.com/?l=apache-modssl&m=985768715069 80&w=2
for more info

Rgds
Jeff

----- Original Message -----
From:
To:
Sent: Saturday, March 15, 2003 4:47 PM
Subject: Re: problem installing cert on virtual host


> On 14 Mar 2003 at 17:14, Dan McComb wrote:
>
> > Thanks Beau,
> >
> > Here's the pertinent bits (this file may look a bit strange -- it's a
> > Mac OS X Server conf file, but functions in almost every way like
> > traditional http.conf file):
> > [...]
> >
> > On Friday, March 14, 2003, at 04:58 PM, beau@beaucox.com wrote:
> >
> > > On 14 Mar 2003 at 16:20, Dan McComb wrote:
> > >
> > >> I've successfully installed one virtual host on my server to listen
on
> > >> port 443, and it's been running great. But when I added another
> > >> virtual
> > >> host directive to listen on same port further down in the file, I
find
> > >> that the first listener is the one that "picks up" the request. This
> > >> results in an error in IE: "the identity certificate name is not
> > >> correct." If I comment out the first virtual host, the problem
> > >> disappears and the second one works fine. I need them to work
> > >> together...
> > >>
> > >> Anyone know how can I configure my virtual hosts/httpd.conf to avoid
> > >> this problem?
> > >>
> > >> /dan mccomb
> > >>
> >
>> ------------------------------------------------------------ ----------
> > >> --
> > >> ------------
> > >>
> > > [...]
>
> Hi -
>
> I see nothing wrong with your conf file. I have some
> suggestions:
>
> * since your SSL servers work one at a time, perhaps
> this is not an SSL problem. Remember, the first
> vhost is the 'default': any request that does
> not match a name (within that ip:port group)
> is sent to that first server. Why don't you comment
> out the SSL directives, change the ports to 80,
> and see if you can browse to each vhost?
>
> * in the same vein, is you bind (dns) server setup
> OK?
>
> * you may want to look at each server cert:
>
> openssl rsa -noout -text -in .crt
>
> the subject CN should match the server name.
>
> * if you certs are self-signed, your browser
> will give you an error - that the CA is not
> recognized as trusted - but everything else
> should be OK if your CN matches the server
> name.
>
> Let me know how it goes...
>
> Aloha => Beau;
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: problem installing cert on virtual host

On 15 Mar 2003 at 17:12, Jeff wrote:

> Actually, the answer is RTFM..
>
> You can not have multiple SSL vhosts responding to one IP/port
> combination.. The FIRST SSL vhost will ALWAYS respond when making the
> connection.. This is due to how the protocol works..
>
> Refer http://marc.theaimsgroup.com/?l=apache-modssl&m=985768715069 80&w=2
> for more info

Thanks Jeff - upon redoing my tests I found that
I was getting the first 443 server also; I found
the info here:

http://httpd.apache.org/docs-
2.0/ssl/ssl_faq.html#vhosts

Aloha => Beau;
>
> Rgds
> Jeff
>
> ----- Original Message -----
> From:
> To:
> Sent: Saturday, March 15, 2003 4:47 PM
> Subject: Re: problem installing cert on virtual host
>
>
> > On 14 Mar 2003 at 17:14, Dan McComb wrote:
> >
> > > Thanks Beau,
> > >
> > > Here's the pertinent bits (this file may look a bit strange -- it's a
> > > Mac OS X Server conf file, but functions in almost every way like
> > > traditional http.conf file):
> > > [...]
> > >
> > > On Friday, March 14, 2003, at 04:58 PM, beau@beaucox.com wrote:
> > >
> > > > On 14 Mar 2003 at 16:20, Dan McComb wrote:
> > > >
> > > >> I've successfully installed one virtual host on my server to listen
> on
> > > >> port 443, and it's been running great. But when I added another
> > > >> virtual
> > > >> host directive to listen on same port further down in the file, I
> find
> > > >> that the first listener is the one that "picks up" the request. This
> > > >> results in an error in IE: "the identity certificate name is not
> > > >> correct." If I comment out the first virtual host, the problem
> > > >> disappears and the second one works fine. I need them to work
> > > >> together...
> > > >>
> > > >> Anyone know how can I configure my virtual hosts/httpd.conf to avoid
> > > >> this problem?
> > > >>
> > > >> /dan mccomb
> > > >>
> > >
> >> ------------------------------------------------------------ ----------
> > > >> --
> > > >> ------------
> > > >>
> > > > [...]
> >
> > Hi -
> >
> > I see nothing wrong with your conf file. I have some
> > suggestions:
> >
> > * since your SSL servers work one at a time, perhaps
> > this is not an SSL problem. Remember, the first
> > vhost is the 'default': any request that does
> > not match a name (within that ip:port group)
> > is sent to that first server. Why don't you comment
> > out the SSL directives, change the ports to 80,
> > and see if you can browse to each vhost?
> >
> > * in the same vein, is you bind (dns) server setup
> > OK?
> >
> > * you may want to look at each server cert:
> >
> > openssl rsa -noout -text -in .crt
> >
> > the subject CN should match the server name.
> >
> > * if you certs are self-signed, your browser
> > will give you an error - that the CA is not
> > recognized as trusted - but everything else
> > should be OK if your CN matches the server
> > name.
> >
> > Let me know how it goes...
> >
> > Aloha => Beau;
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: problem installing cert on virtual host

If this is tough to get into the FAQ, being it is asked weekly, perhps it
can be added to the footer of list messages?

Thanks,

Ron DuFresne

On Sat, 15 Mar 2003, Jeff wrote:

> Actually, the answer is RTFM..
>
> You can not have multiple SSL vhosts responding to one IP/port
> combination.. The FIRST SSL vhost will ALWAYS respond when making the
> connection.. This is due to how the protocol works..
>
> Refer http://marc.theaimsgroup.com/?l=apache-modssl&m=985768715069 80&w=2
> for more info
>
> Rgds
> Jeff
>
> ----- Original Message -----
> From:
> To:
> Sent: Saturday, March 15, 2003 4:47 PM
> Subject: Re: problem installing cert on virtual host
>
>
> > On 14 Mar 2003 at 17:14, Dan McComb wrote:
> >
> > > Thanks Beau,
> > >
> > > Here's the pertinent bits (this file may look a bit strange -- it's a
> > > Mac OS X Server conf file, but functions in almost every way like
> > > traditional http.conf file):
> > > [...]
> > >
> > > On Friday, March 14, 2003, at 04:58 PM, beau@beaucox.com wrote:
> > >
> > > > On 14 Mar 2003 at 16:20, Dan McComb wrote:
> > > >
> > > >> I've successfully installed one virtual host on my server to listen
> on
> > > >> port 443, and it's been running great. But when I added another
> > > >> virtual
> > > >> host directive to listen on same port further down in the file, I
> find
> > > >> that the first listener is the one that "picks up" the request. This
> > > >> results in an error in IE: "the identity certificate name is not
> > > >> correct." If I comment out the first virtual host, the problem
> > > >> disappears and the second one works fine. I need them to work
> > > >> together...
> > > >>
> > > >> Anyone know how can I configure my virtual hosts/httpd.conf to avoid
> > > >> this problem?
> > > >>
> > > >> /dan mccomb
> > > >>
> > >
> >> ------------------------------------------------------------ ----------
> > > >> --
> > > >> ------------
> > > >>
> > > > [...]
> >
> > Hi -
> >
> > I see nothing wrong with your conf file. I have some
> > suggestions:
> >
> > * since your SSL servers work one at a time, perhaps
> > this is not an SSL problem. Remember, the first
> > vhost is the 'default': any request that does
> > not match a name (within that ip:port group)
> > is sent to that first server. Why don't you comment
> > out the SSL directives, change the ports to 80,
> > and see if you can browse to each vhost?
> >
> > * in the same vein, is you bind (dns) server setup
> > OK?
> >
> > * you may want to look at each server cert:
> >
> > openssl rsa -noout -text -in .crt
> >
> > the subject CN should match the server name.
> >
> > * if you certs are self-signed, your browser
> > will give you an error - that the CA is not
> > recognized as trusted - but everything else
> > should be OK if your CN matches the server
> > name.
> >
> > Let me know how it goes...
> >
> > Aloha => Beau;
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: problem installing cert on virtual host

Thanks Beau and Jeff for your help in resolving this.

I was able to get it working very quickly by assigning the second
virtual host to listen on another port number.

Best,

/dan

On Friday, March 14, 2003, at 11:12 PM, Jeff wrote:

> Actually, the answer is RTFM..
>
> You can not have multiple SSL vhosts responding to one IP/port
> combination.. The FIRST SSL vhost will ALWAYS respond when making the
> connection.. This is due to how the protocol works..
>
> Refer
> http://marc.theaimsgroup.com/?l=apache-modssl&m=985768715069 80&w=2
> for more info
>
> Rgds
> Jeff
>
> ----- Original Message -----
> From:
> To:
> Sent: Saturday, March 15, 2003 4:47 PM
> Subject: Re: problem installing cert on virtual host
>
>
>> On 14 Mar 2003 at 17:14, Dan McComb wrote:
>>
>>> Thanks Beau,
>>>
>>> Here's the pertinent bits (this file may look a bit strange -- it's a
>>> Mac OS X Server conf file, but functions in almost every way like
>>> traditional http.conf file):
>>> [...]
>>>
>>> On Friday, March 14, 2003, at 04:58 PM, beau@beaucox.com wrote:
>>>
>>>> On 14 Mar 2003 at 16:20, Dan McComb wrote:
>>>>
>>>>> I've successfully installed one virtual host on my server to listen
> on
>>>>> port 443, and it's been running great. But when I added another
>>>>> virtual
>>>>> host directive to listen on same port further down in the file, I
> find
>>>>> that the first listener is the one that "picks up" the request.
>>>>> This
>>>>> results in an error in IE: "the identity certificate name is not
>>>>> correct." If I comment out the first virtual host, the problem
>>>>> disappears and the second one works fine. I need them to work
>>>>> together...
>>>>>
>>>>> Anyone know how can I configure my virtual hosts/httpd.conf to
>>>>> avoid
>>>>> this problem?
>>>>>
>>>>> /dan mccomb
>>>>>
>>>
>>> ------------------------------------------------------------ ---------
>>> -
>>>>> --
>>>>> ------------
>>>>>
>>>> [...]
>>
>> Hi -
>>
>> I see nothing wrong with your conf file. I have some
>> suggestions:
>>
>> * since your SSL servers work one at a time, perhaps
>> this is not an SSL problem. Remember, the first
>> vhost is the 'default': any request that does
>> not match a name (within that ip:port group)
>> is sent to that first server. Why don't you comment
>> out the SSL directives, change the ports to 80,
>> and see if you can browse to each vhost?
>>
>> * in the same vein, is you bind (dns) server setup
>> OK?
>>
>> * you may want to look at each server cert:
>>
>> openssl rsa -noout -text -in .crt
>>
>> the subject CN should match the server name.
>>
>> * if you certs are self-signed, your browser
>> will give you an error - that the CA is not
>> recognized as trusted - but everything else
>> should be OK if your CN matches the server
>> name.
>>
>> Let me know how it goes...
>>
>> Aloha => Beau;
>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>

------------------------------------------------------------ ------------
------------

Visual Contact
311 First Ave. S, Suite 200
Seattle, WA 98104

206.223.0417 Office
206.718.5361 Cell

dan@visualcontact.com
http://www.visualcontact.com


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org