apache with 2 SSL Certs Problem

Hello,
i have a box with two domains
CentOS release 5.3
Server version: Apache/2.2.3

initially the box only had one IP and domain.

I went and got a SSL cert for that domain and everything was fine.

i then went and added a second IP and a second Domain (eventually i
planned to split these)

I then created a test self signed cert for the second domain/IP (same NIC card)

Since i have done that my first domain/IP SSL gives me the error
message that it is the incorrect cert
"cert belongs to a different site" and when i look at the cert via FF
it is all localhost / self signed stufff

i even yesterday tried to re-issue the old cert
openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr

I have removed the ssl on the second domain for now

in my httpd,conf I am pointing to the key and crt i just created
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.key

in the SSL error log i see
[Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
(CN) `localhost.localdomain' does NOT match server name!?

I would really appreciate any help
Randy

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

On Fri, Nov 13, 2009 at 3:15 AM, Randy Paries wrote:
> Hello,
> i have a box with two domains
> CentOS release 5.3
> Server version: Apache/2.2.3
>
> initially the box only had one IP and domain.
>
> I went and got a SSL cert for that domain and everything was fine.
>
> i then went and added a second IP and a second Domain (eventually i
> planned to split these)
>
> I then created a test self signed cert for the second domain/IP (same NIC=
card)
>
> Since i have done that my first domain/IP SSL gives me the error
> message that it is the incorrect cert
> "cert belongs to a different site" and when i look at the cert via FF
> it is all localhost / self signed stufff
>
> i even yesterday tried to re-issue the old cert
> openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
>
> I have removed the ssl on the second domain for now
>
> in my httpd,conf I am pointing to the key and crt i just created
> =A0 =A0SSLEngine on
> =A0 =A0SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
> =A0 =A0SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.key
>
> in the SSL error log i see
> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
> (CN) `localhost.localdomain' does NOT match server name!?

You need to give us some more information. What have you done to make
sure that the right IP is associated with the right SSL instance and
certificate? This does not happen automatically.

Normally you should have two virtualhosts in your httpd.conf, each
with its own SSL directives. Could you show us more of your config?


Krist


--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

--0-595476209-1258100618=:92662
Content-Type: text/plain; charset=us-ascii

IP based virtual hosting will help you. read thru this http://httpd.apache.org/docs/1.3/vhosts/ip-based.html

also you can have 2 include file with different IP listening and map there in the include file, to make it easy to maintenance.

also can you paste your httpd.conf file

thanks
-suresh






________________________________
From: Krist van Besien
To: users@httpd.apache.org
Sent: Fri, November 13, 2009 12:59:33 PM
Subject: Re: [users@httpd] apache with 2 SSL Certs Problem

On Fri, Nov 13, 2009 at 3:15 AM, Randy Paries wrote:
> Hello,
> i have a box with two domains
> CentOS release 5.3
> Server version: Apache/2.2.3
>
> initially the box only had one IP and domain.
>
> I went and got a SSL cert for that domain and everything was fine.
>
> i then went and added a second IP and a second Domain (eventually i
> planned to split these)
>
> I then created a test self signed cert for the second domain/IP (same NIC card)
>
> Since i have done that my first domain/IP SSL gives me the error
> message that it is the incorrect cert
> "cert belongs to a different site" and when i look at the cert via FF
> it is all localhost / self signed stufff
>
> i even yesterday tried to re-issue the old cert
> openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
>
> I have removed the ssl on the second domain for now
>
> in my httpd,conf I am pointing to the key and crt i just created
> SSLEngine on
> SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.key
>
> in the SSL error log i see
> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
> (CN) `localhost.localdomain' does NOT match server name!?

You need to give us some more information. What have you done to make
sure that the right IP is associated with the right SSL instance and
certificate? This does not happen automatically.

Normally you should have two virtualhosts in your httpd.conf, each
with its own SSL directives. Could you show us more of your config?


Krist


--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



--0-595476209-1258100618=:92662
Content-Type: text/html; charset=us-ascii

Re: apache with 2 SSL Certs Problem

On Fri, Nov 13, 2009 at 1:29 AM, Krist van Besien
wrote:
> On Fri, Nov 13, 2009 at 3:15 AM, Randy Paries wrote:
>> Hello,
>> i have a box with two domains
>> CentOS release 5.3
>> Server version: Apache/2.2.3
>>
>> initially the box only had one IP and domain.
>>
>> I went and got a SSL cert for that domain and everything was fine.
>>
>> i then went and added a second IP and a second Domain (eventually i
>> planned to split these)
>>
>> I then created a test self signed cert for the second domain/IP (same NI=
C card)
>>
>> Since i have done that my first domain/IP SSL gives me the error
>> message that it is the incorrect cert
>> "cert belongs to a different site" and when i look at the cert via FF
>> it is all localhost / self signed stufff
>>
>> i even yesterday tried to re-issue the old cert
>> openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
>>
>> I have removed the ssl on the second domain for now
>>
>> in my httpd,conf I am pointing to the key and crt i just created
>> =A0 =A0SSLEngine on
>> =A0 =A0SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
>> =A0 =A0SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.ke=
y
>>
>> in the SSL error log i see
>> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
>> certificate (BasicConstraints: CA == TRUE !?)
>> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
>> (CN) `localhost.localdomain' does NOT match server name!?
>
> You need to give us some more information. What have you done to make
> sure that the right IP is associated with the right SSL instance and
> certificate? This does not happen automatically.
>
> Normally you should have two virtualhosts in your httpd.conf, each
> with its own SSL directives. Could you show us more of your config?
>
>
> Krist

Hello,
Thanks for you help

this is how i have it set up.
when i generate the CSR do i need to do something special to bind the
CSR to a specific IP?


ServerAdmin webmaster@unitnet.com
DocumentRoot /home/unitfaces/

ServerName www.unitfaces.com
ServerAlias unitfaces.com

ErrorLog logs/unitfaces.com-error_log
CustomLog logs/unitfaces.com-access_log combined

ErrorLog logs/unitfacesSSL.com-error_log
CustomLog logs/unitfacesSSL.com-access_log combined

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.unitfaces.com.key



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

On Fri, Nov 13, 2009 at 9:40 AM, Randy Paries wrote:
> On Fri, Nov 13, 2009 at 1:29 AM, Krist van Besien
> wrote:
>> On Fri, Nov 13, 2009 at 3:15 AM, Randy Paries wrote=
:
>>> Hello,
>>> i have a box with two domains
>>> CentOS release 5.3
>>> Server version: Apache/2.2.3
>>>
>>> initially the box only had one IP and domain.
>>>
>>> I went and got a SSL cert for that domain and everything was fine.
>>>
>>> i then went and added a second IP and a second Domain (eventually i
>>> planned to split these)
>>>
>>> I then created a test self signed cert for the second domain/IP (same N=
IC card)
>>>
>>> Since i have done that my first domain/IP SSL gives me the error
>>> message that it is the incorrect cert
>>> "cert belongs to a different site" and when i look at the cert via FF
>>> it is all localhost / self signed stufff
>>>
>>> i even yesterday tried to re-issue the old cert
>>> openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
>>>
>>> I have removed the ssl on the second domain for now
>>>
>>> in my httpd,conf I am pointing to the key and crt i just created
>>> =A0 =A0SSLEngine on
>>> =A0 =A0SSLCertificateFile /etc/httpd/conf/ssl.crt/www.mydomain.com.crt
>>> =A0 =A0SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.mydomain.com.k=
ey
>>>
>>> in the SSL error log i see
>>> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate is a CA
>>> certificate (BasicConstraints: CA == TRUE !?)
>>> [Thu Nov 12 09:26:41 2009] [warn] RSA server certificate CommonName
>>> (CN) `localhost.localdomain' does NOT match server name!?
>>
>> You need to give us some more information. What have you done to make
>> sure that the right IP is associated with the right SSL instance and
>> certificate? This does not happen automatically.
>>
>> Normally you should have two virtualhosts in your httpd.conf, each
>> with its own SSL directives. Could you show us more of your config?
>>
>>
>> Krist
>
> Hello,
> Thanks for you help
>
> this is how i have it set up.
> when i generate the CSR do i need to do something special to bind the
> CSR to a specific IP?
>
>
> =A0 =A0ServerAdmin webmaster@unitnet.com
> =A0 =A0DocumentRoot /home/unitfaces/
>
> =A0 =A0ServerName www.unitfaces.com
> =A0 =A0ServerAlias unitfaces.com
>
> =A0 =A0ErrorLog logs/unitfaces.com-error_log
> =A0 =A0CustomLog logs/unitfaces.com-access_log combined
>
> =A0 =A0ErrorLog logs/unitfacesSSL.com-error_log
> =A0 =A0CustomLog logs/unitfacesSSL.com-access_log combined
>
> =A0 =A0SSLEngine on
> =A0 =A0SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
> =A0 =A0SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.unitfaces.com.ke=
y
>
>
>

also i have this in my httpd
NameVirtualHost 216.186.190.101:80
NameVirtualHost 216.186.190.106:80
NameVirtualHost 216.186.190.101:443

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

On Fri, Nov 13, 2009 at 4:40 PM, Randy Paries wrote:
> On Fri, Nov 13, 2009 at 1:29 AM, Krist van Besien
> this is how i have it set up.
> when i generate the CSR do i need to do something special to bind the
> CSR to a specific IP?

No.

>
>
> =A0 =A0ServerAdmin webmaster@unitnet.com
> =A0 =A0DocumentRoot /home/unitfaces/
>
> =A0 =A0ServerName www.unitfaces.com
> =A0 =A0ServerAlias unitfaces.com
>
> =A0 =A0ErrorLog logs/unitfaces.com-error_log
> =A0 =A0CustomLog logs/unitfaces.com-access_log combined
>
> =A0 =A0ErrorLog logs/unitfacesSSL.com-error_log
> =A0 =A0CustomLog logs/unitfacesSSL.com-access_log combined
>
> =A0 =A0SSLEngine on
> =A0 =A0SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
> =A0 =A0SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.unitfaces.com.ke=
y
>
>

That looks ok, but you should have two VirtualHost containers on port
443. What does the other look like?


--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

On Fri, Nov 13, 2009 at 6:14 PM, Randy Paries wrote:
> also i have this in my httpd
> NameVirtualHost 216.186.190.101:80
> NameVirtualHost 216.186.190.106:80
> NameVirtualHost 216.186.190.101:443

You probably don't need these.

I asume you have your one SSL host on 216.186.190.101 and another on
216.186.190.106 ?

Krist


--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

On Fri, Nov 13, 2009 at 12:26 PM, Krist van Besien
wrote:
> On Fri, Nov 13, 2009 at 6:14 PM, Randy Paries wrote:
>> also i have this in my httpd
>> NameVirtualHost 216.186.190.101:80
>> NameVirtualHost 216.186.190.106:80
>> NameVirtualHost 216.186.190.101:443
>
> You probably don't need these.
>
> I asume you have your one SSL host on 216.186.190.101 and another on
> 216.186.190.106 ?
>
> Krist
>

so i tried to re-issue my cert so the file names are a little different.

so here is where i am now

two domains:
1) unitfaces.com is supposed to have the real cert
2)yumasnowbirds.com is suppose to have the self signed cert


ServerAdmin webmaster@mydomain.com
DocumentRoot /home/unitfaces/

ServerName www.unitfaces.com
ServerAlias unitfaces.com

ErrorLog logs/unitfacesSSL.com-error_log
CustomLog logs/unitfacesSSL.com-access_log combined

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key




ServerAdmin webmaster@mydomain.com
DocumentRoot /home/yumasnowbirds/

ServerName www.yumasnowbirds.com
ServerAlias yumasnowbirds.com

ErrorLog logs/yumasnowbirdsSSL.com-error_log
CustomLog logs/yumasnowbirdsSSL.com-access_log combined

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www.yumasnowbirds.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key



here is some more info
if i do
#openssl s_client -connect www.unitfaces.com:443 -showcerts
i see (btw , i have no idea where it is getting this info??)
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrga nizationalUnit/CN=localhost.localdomain/emailAddress=root@lo calhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrga nizationalUnit/CN=localhost.localdomain/emailAddress=root@lo calhost.localdomain
verify return:1
---

#openssl s_client -connect www.yumasnowbirds.com:443 -showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=MyState/L=MyCity/O=Unit
Inc./OU=YumaSnowBirds/CN=www.yumasnowbirds.com/emailAddress= admin@domain.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST= MyState/L= MyCity/O=Unit
Inc./OU=YumaSnowBirds/CN=www.yumasnowbirds.com/emailAddress= admin@
domain.com
verify return:1
---


I am sooo confused.

Thanks again
Randy

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

On Fri, Nov 13, 2009 at 7:58 PM, Randy Paries wrote:
> On Fri, Nov 13, 2009 at 12:26 PM, Krist van Besien
> wrote:
>> On Fri, Nov 13, 2009 at 6:14 PM, Randy Paries wrote=
:
>>> also i have this in my httpd
>>> NameVirtualHost 216.186.190.101:80
>>> NameVirtualHost 216.186.190.106:80
>>> NameVirtualHost 216.186.190.101:443
>>
>> You probably don't need these.
>>
>> I asume you have your one SSL host on 216.186.190.101 and another on
>> 216.186.190.106 ?
>>
>> Krist
>>
>
> so i tried to re-issue my cert so the file names are a little different.
>
> so here is where i am now
>
> two domains:
> 1) unitfaces.com is supposed to have the real cert
> 2)yumasnowbirds.com is suppose to have the self signed cert
>
>
> =A0 =A0ServerAdmin webmaster@mydomain.com
> =A0 =A0DocumentRoot /home/unitfaces/
>
> =A0 =A0ServerName www.unitfaces.com
> =A0 =A0ServerAlias unitfaces.com
>
> =A0 =A0ErrorLog logs/unitfacesSSL.com-error_log
> =A0 =A0CustomLog logs/unitfacesSSL.com-access_log combined
>
> =A0 =A0SSLEngine on
> =A0 =A0SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
> =A0 =A0SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key
>
>
>
>
> =A0 =A0ServerAdmin webmaster@mydomain.com
> =A0 =A0DocumentRoot /home/yumasnowbirds/
>
> =A0 =A0ServerName www.yumasnowbirds.com
> =A0 =A0ServerAlias yumasnowbirds.com
>
> =A0 =A0ErrorLog logs/yumasnowbirdsSSL.com-error_log
> =A0 =A0CustomLog logs/yumasnowbirdsSSL.com-access_log combined
>
> =A0 =A0SSLEngine on
> =A0 =A0SSLCertificateFile /etc/httpd/conf/ssl.crt/www.yumasnowbirds.com.c=
rt
> =A0 =A0SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key
>
>

That looks all OK to me.

>
> here is some more info
> if i do
> #openssl s_client -connect www.unitfaces.com:443 -showcerts
> i see (btw , i have no idea where it is getting this info??)
> CONNECTED(00000003)
> depth=3D0 /C=3D--/ST=3DSomeState/L=3DSomeCity/O=3DSomeOrganization/OU= 3DS=
omeOrganizationalUnit/CN=3Dlocalhost.localdomain/emailAddres s=3Droot@localh=
ost.localdomain
> verify error:num=3D18:self signed certificate
> verify return:1
> depth=3D0 /C=3D--/ST=3DSomeState/L=3DSomeCity/O=3DSomeOrganization/OU= 3DS=
omeOrganizationalUnit/CN=3Dlocalhost.localdomain/emailAddres s=3Droot@localh=
ost.localdomain
> verify return:1

This is all info from the certificate. It appears that unitfaces.com
has a self signed certificate. You can verify this with:
openssl x509 -in /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt -text
(dot this on your sever...)

I think that some of your assumption about what's in
www.unitfces.com.crt might be wrong...

Krist



--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

On Sat, Nov 14, 2009 at 8:37 AM, Krist van Besien
wrote:
> On Fri, Nov 13, 2009 at 7:58 PM, Randy Paries wrote:
>> On Fri, Nov 13, 2009 at 12:26 PM, Krist van Besien
>> wrote:
>>> On Fri, Nov 13, 2009 at 6:14 PM, Randy Paries wrot=
e:
>>>> also i have this in my httpd
>>>> NameVirtualHost 216.186.190.101:80
>>>> NameVirtualHost 216.186.190.106:80
>>>> NameVirtualHost 216.186.190.101:443
>>>
>>> You probably don't need these.
>>>
>>> I asume you have your one SSL host on 216.186.190.101 and another on
>>> 216.186.190.106 ?
>>>
>>> Krist
>>>
>>
>> so i tried to re-issue my cert so the file names are a little different.
>>
>> so here is where i am now
>>
>> two domains:
>> 1) unitfaces.com is supposed to have the real cert
>> 2)yumasnowbirds.com is suppose to have the self signed cert
>>
>>
>> =A0 =A0ServerAdmin webmaster@mydomain.com
>> =A0 =A0DocumentRoot /home/unitfaces/
>>
>> =A0 =A0ServerName www.unitfaces.com
>> =A0 =A0ServerAlias unitfaces.com
>>
>> =A0 =A0ErrorLog logs/unitfacesSSL.com-error_log
>> =A0 =A0CustomLog logs/unitfacesSSL.com-access_log combined
>>
>> =A0 =A0SSLEngine on
>> =A0 =A0SSLCertificateFile /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt
>> =A0 =A0SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key
>>
>>
>>
>>
>> =A0 =A0ServerAdmin webmaster@mydomain.com
>> =A0 =A0DocumentRoot /home/yumasnowbirds/
>>
>> =A0 =A0ServerName www.yumasnowbirds.com
>> =A0 =A0ServerAlias yumasnowbirds.com
>>
>> =A0 =A0ErrorLog logs/yumasnowbirdsSSL.com-error_log
>> =A0 =A0CustomLog logs/yumasnowbirdsSSL.com-access_log combined
>>
>> =A0 =A0SSLEngine on
>> =A0 =A0SSLCertificateFile /etc/httpd/conf/ssl.crt/www.yumasnowbirds.com.=
crt
>> =A0 =A0SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.calgary.key
>>
>>
>
> That looks all OK to me.
>
>>
>> here is some more info
>> if i do
>> #openssl s_client -connect www.unitfaces.com:443 -showcerts
>> i see (btw , i have no idea where it is getting this info??)
>> CONNECTED(00000003)
>> depth=3D0 /C=3D--/ST=3DSomeState/L=3DSomeCity/O=3DSomeOrganization/OU= 3D=
SomeOrganizationalUnit/CN=3Dlocalhost.localdomain/emailAddre ss=3Droot@local=
host.localdomain
>> verify error:num=3D18:self signed certificate
>> verify return:1
>> depth=3D0 /C=3D--/ST=3DSomeState/L=3DSomeCity/O=3DSomeOrganization/OU= 3D=
SomeOrganizationalUnit/CN=3Dlocalhost.localdomain/emailAddre ss=3Droot@local=
host.localdomain
>> verify return:1
>
> This is all info from the certificate. It appears that unitfaces.com
> has a self signed certificate. You can verify this with:
> openssl x509 -in /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt -text
> (dot this on your sever...)
>
> I think that some of your assumption about what's in
> www.unitfces.com.crt might be wrong...
>
> Krist
>

Krist

So is there a way/log to see what cert is being used by apache
if i do openssl x509 -in /etc/httpd/conf/ssl.crt/www.unitfaces.com.crt -tex=
t

[root@calgary ~]# openssl x509 -in
/etc/httpd/conf/ssl.crt/www.unitfaces.com.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=3DZA, ST=3DWestern Cape, L=3DCape Town, O=3DThawte
Consulting cc, OU=3DCertification Services Division, CN=3DThawte Premium
Server CA/emailAddress=3Dpremium-server@thawte.com
Validity
Not Before: Nov 13 00:00:00 2009 GMT
Not After : Aug 6 23:59:59 2010 GMT
Subject: C=3DUS, ST=3DAlabama, L=3DHuntsville, O=3DUnitNet Inc.,
OU=3DUnitFaces, CN=3Dwww.unitfaces.com


This does not make any sense. It is like it is pulling this cert
magically out of the air

so confused..

Ramdy

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

On Sat, Nov 14, 2009 at 10:33 AM, Randy Paries wrote:

> This does not make any sense. It is like it is pulling this cert
> magically out of the air

httpd -S will display your vhost config.

Also curious what that hostname resolves to on the system where you
ran openssl, and what interfaces your Apache system has.

"grep -ri SSLCert /etc/httpd/conf.d/ /etc/httpd/conf" might also shed
some light on what the operative part of your config is.



--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache with 2 SSL Certs Problem

On Sat, Nov 14, 2009 at 9:43 AM, Eric Covener wrote:
> On Sat, Nov 14, 2009 at 10:33 AM, Randy Paries wrote:
>
>> This does not make any sense. It is like it is pulling this cert
>> magically out of the air
>
> httpd -S will display your vhost config.
>
> Also curious what that hostname resolves to on the system where you
> ran openssl, and what interfaces your Apache system has.
>
> "grep -ri SSLCert /etc/httpd/conf.d/ /etc/httpd/conf" might also shed
> some light on what the operative part of your config is.
>
>
>
> --
> Eric Covener
> covener@gmail.com


YEAH!!!!

httpd -S was the ticket.........

[root@calgary conf]# httpd -S
VirtualHost configuration:
216.186.190.106:80 is a NameVirtualHost
default server www.yumasnowbirds.com (/etc/httpd/conf/httpd.conf:1063)
port 80 namevhost www.yumasnowbirds.com
(/etc/httpd/conf/httpd.conf:1063)
216.186.190.106:443 is a NameVirtualHost
default server www.yumasnowbirds.com (/etc/httpd/conf/httpd.conf:1093)
port 443 namevhost www.yumasnowbirds.com
(/etc/httpd/conf/httpd.conf:1093)
216.186.190.101:80 is a NameVirtualHost
default server www.unitfaces.com (/etc/httpd/conf/httpd.conf:1017)
port 80 namevhost www.unitfaces.com (/etc/httpd/conf/httpd.conf:1017)
216.186.190.101:443 is a NameVirtualHost
default server www.unitfaces.com (/etc/httpd/conf/httpd.conf:997)
port 443 namevhost www.unitfaces.com (/etc/httpd/conf/httpd.conf:997)
wildcard NameVirtualHosts and _default_ servers:
_default_:443 www.unitfaces.com (/etc/httpd/conf.d/ssl.conf:81)
Syntax OK

Checkout the bottom entry (wildcard NameVirtualHosts and _default_ servers:)

i did not even think about this separate file. I have always put my
ssl vert hosts in the httpd.conf

thanks everyone for your help

this one was freaking me out

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org