Multiple SSL sites, Multiple IP Addresses

I've been running an Apache 2.0 server for a while with multiple name-
based virtual sites on port 80 and one SSL site on the same IP
address. I need to add a second SSL site and I'm having trouble with
the configuration. I have an available IP Address so that's not a
problem. In /etc/httpd/conf/httpd.conf I have these lines (among many
others, of course):

NameVirtualHost *:80
NameVirtualHost *:443

Then, in the /etc/httpd/conf.d/sslsite.conf file, I have this:


ServerName www.foobar.com
Redirect / http://www.foobar.com/



DocumentRoot /path/to/foobar/docs
ServerName www.foobar.com:443
ServerAdmin hls@foobar.com
....

That's working right now.

When I tried to add a second SSL server, however, I get the same
certificate for both, (when I can get anything at all). What I'm
thinking is that the problem comes from the fact that although I have
two public IP Addresses, the router is converting them to the same
private address for use on the server.

To test this, I set everything back to the working (single SSL site)
state. Then I changed the line above to
. When I restart apache now, it
complains that NameVirtualHost *:443 has no VirtualHosts but I figured
that's okay but maybe not. When I browse to the site, Firefox gives
me an error message saying:

www.foobar.com has sent an incorrect or unexpected message. Error
Code: -12263

So, that's not right. What should the VirtualHost line have in it?
The public IP Address behaves the same way (Error -12263).

So, first question -- Is the router and single private address at
least part of my problem? If so, I'll create a second for the other
site.

Second question -- What should my apache configuration file look like?

--
HHH

Re: Multiple SSL sites, Multiple IP Addresses

On Nov 19, 1:21 pm, Harvey Schmidlapp wrote:
> To test this, I set everything back to the working (single SSL site)
> state. Then I changed the line above to
> .

Doh! When I used 192.168.1.2 instead, which is the correct private
address, it worked. So, my guess is that I'd just add a second
private address and then set up static NAT to map the public IP
address for the second site to that. I'll try that. Sorry for the
bother. If this is wrong, feel free to jump in and correct me.

--
HHH

Re: Multiple SSL sites, Multiple IP Addresses

"Harvey Schmidlapp" wrote in message
news:f27a7941-ea71-42b9-8e02-29990e318569@f3g2000hsg.googleg roups.com...
> I've been running an Apache 2.0 server for a while with multiple name-
> based virtual sites on port 80 and one SSL site on the same IP
> address. I need to add a second SSL site and I'm having trouble with
> the configuration. I have an available IP Address so that's not a
> problem. In /etc/httpd/conf/httpd.conf I have these lines (among many
> others, of course):
>
> NameVirtualHost *:80
> NameVirtualHost *:443
>
> Then, in the /etc/httpd/conf.d/sslsite.conf file, I have this:
>
>
> ServerName www.foobar.com
> Redirect / http://www.foobar.com/
>
>
>
> DocumentRoot /path/to/foobar/docs
> ServerName www.foobar.com:443
> ServerAdmin hls@foobar.com
> ...

You can only properly have one SSL site per IP address, so you need to throw
away any reference to *:443 and use something similar to the following:

NameVirtualHost 1.1.1.1:443

....


NameVirtualHost 1.1.1.2:443

....

Re: Multiple SSL sites, Multiple IP Addresses

On Nov 20, 9:12 am, "phantom" wrote:
> "Harvey Schmidlapp" wrote in message
>
> news:f27a7941-ea71-42b9-8e02-29990e318569@f3g2000hsg.googleg roups.com...
>
>
>
> > I've been running an Apache 2.0 server for a while with multiple name-
> > based virtual sites on port 80 and one SSL site on the same IP
> > address. I need to add a second SSL site and I'm having trouble with
> > the configuration. I have an available IP Address so that's not a
> > problem. In /etc/httpd/conf/httpd.conf I have these lines (among many
> > others, of course):
>
> > NameVirtualHost *:80
> > NameVirtualHost *:443
>
> > Then, in the /etc/httpd/conf.d/sslsite.conf file, I have this:
>
> >
> > ServerName www.foobar.com
> > Redirect / http://www.foobar.com/
> >
>
> >
> > DocumentRoot /path/to/foobar/docs
> > ServerName www.foobar.com:443
> > ServerAdmin h...@foobar.com
> > ...
>
> You can only properly have one SSL site per IP address, so you need to throw
> away any reference to *:443 and use something similar to the following:
>
> NameVirtualHost 1.1.1.1:443
>
> ...
>
>
> NameVirtualHost 1.1.1.2:443
>
> ...
>

theres info on how to generate multiple certs for a single ip address
here:
http://wiki.cacert.org/wiki/VhostTaskForce
http://www.cacert.org (which hasnt reached the status of a recognized
Certificate Authority, but is aiming to be included in browsers
soonish) can do it free

Re: Multiple SSL sites, Multiple IP Addresses

"shimmyshack" wrote in message
news:0d2bd90a-3ccd-4f2c-a369-50ad4a84a586@41g2000hsh.googleg roups.com...
> On Nov 20, 9:12 am, "phantom" wrote:
> > "Harvey Schmidlapp" wrote in message
> >
> > news:f27a7941-ea71-42b9-8e02-29990e318569@f3g2000hsg.googleg roups.com...
> >
> >
> >
> > > I've been running an Apache 2.0 server for a while with multiple name-
> > > based virtual sites on port 80 and one SSL site on the same IP
> > > address. I need to add a second SSL site and I'm having trouble with
> > > the configuration. I have an available IP Address so that's not a
> > > problem. In /etc/httpd/conf/httpd.conf I have these lines (among many
> > > others, of course):
> >
> > > NameVirtualHost *:80
> > > NameVirtualHost *:443
> >
> > > Then, in the /etc/httpd/conf.d/sslsite.conf file, I have this:
> >
> > >
> > > ServerName www.foobar.com
> > > Redirect / http://www.foobar.com/
> > >
> >
> > >
> > > DocumentRoot /path/to/foobar/docs
> > > ServerName www.foobar.com:443
> > > ServerAdmin h...@foobar.com
> > > ...
> >
> > You can only properly have one SSL site per IP address, so you need to throw
> > away any reference to *:443 and use something similar to the following:
> >
> > NameVirtualHost 1.1.1.1:443
> >
> > ...
> >
> >
> > NameVirtualHost 1.1.1.2:443
> >
> > ...
> >
>
> theres info on how to generate multiple certs for a single ip address
> here:
> http://wiki.cacert.org/wiki/VhostTaskForce
> http://www.cacert.org (which hasnt reached the status of a recognized
> Certificate Authority, but is aiming to be included in browsers
> soonish) can do it free

BS. It's not possible to have multiple certificates. The SSL layer is
negotiated before the application layer - and only the application layer knows
which virtual host is being contacted. As the certificate DN must match and the
certificate is selected based on IP, there can only be one certificate per IP
address+port. Wldcarding of the DN may have been proposed but never made it
into the standard - because it weakens security.