Re: certificate weirdness
This is a discussion on Re: certificate weirdness within the Modssl Users forums, part of the Web Server and Related Forums category; I've finally got it to work. I possibly see why it didn't work from the first place. Mod_ssl ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-27-2005
|
|||
|
|||
Re: certificate weirdness
I've finally got it to work. I possibly see why it didn't work from the first
place. Mod_ssl handles encryption before httpd even sees the url. Thus I can't set certifaces in <directory> or name-based <virtual> containers. Thanks! On Wed, Jul 27, 2005 at 06:49:12AM -0700, Matt Stevenson wrote: > Hello Vlad, > > You are trying to use NameVirtualHost for ssl which > will not work. Basically which cert does it use? The > ssl connection needs to be setup before the site name > (hence virtual host and cert) can be established by > apache. > > You'll need two IPs, or use different ports (yuck). > > Regards > Matt > > --- Vlad Ciubotariu <vlad@happyspot.org> wrote: > > > I'm doing something wrong in my config file. For > > some reason, when > > pointed to https://calendar.mydomain.ca the browser > > tells me the > > security certificate belongs to mail.mydomain.ca > > even though the two > > domains have been configured with different > > certificates. > > > > Could anyone shed some light, please? Thanks in > > advance. > > > > ## > > ## SSL Support > > ## > > ## When we also provide SSL we have to listen to > > the > > ## standard HTTP port (see above) and to the HTTPS > > port > > ## > > <IfDefine SSL> > > Listen 80 > > Listen 443 > > </IfDefine> > > > > > .................................................. ............................. > > > > NameVirtualHost *:80 > > NameVirtualHost *:443 > > > > # > > # VirtualHost example: > > # Almost any Apache directive may go into a > > VirtualHost container. > > > > <VirtualHost *> > > ServerAdmin web@mydomain.org > > DocumentRoot /var/www/virthosts/mail > > ServerName mail.mydomain.org > > Redirect / https://mail.mydomain.org/ > > </VirtualHost> > > > > <VirtualHost *> > > ServerAdmin web@mydomain.org > > DocumentRoot /var/www/virthosts/calendar > > ServerName calendar.mydomain.org > > Redirect / https://calendar.mydomain.org/ > > </VirtualHost> > > > > > > ## > > ## SSL Global Context > > ## > > ## All SSL configuration in this context applies > > both to > > ## the main server and all SSL-enabled virtual > > hosts. > > ## > > > > # > > # Some MIME-types for downloading Certificates and > > CRLs > > # > > <IfDefine SSL> > > AddType application/x-x509-ca-cert .crt > > AddType application/x-pkcs7-crl .crl > > </IfDefine> > > > > <IfModule mod_ssl.c> > > > > # Pass Phrase Dialog: > > # Configure the pass phrase gathering process. > > # The filtering dialog program (`builtin' is a > > internal > > # terminal dialog) has to provide the pass phrase > > on stdout. > > SSLPassPhraseDialog builtin > > > > # Inter-Process Session Cache: > > # Configure the SSL Session Cache: First either > > `none' > > # or `dbm:/path/to/file' for the mechanism to use > > and > > # second the expiring timeout (in seconds). > > SSLSessionCache dbm:logs/ssl_scache > > SSLSessionCacheTimeout 300 > > > > # Semaphore: > > # Configure the path to the mutual exclusion > > semaphore the > > # SSL engine uses internally for inter-process > > synchronization. > > SSLMutex sem > > > > # Pseudo Random Number Generator (PRNG): > > # Configure one or more sources to seed the PRNG > > of the > > # SSL library. The seed data should be of good > > random quality. > > SSLRandomSeed startup builtin > > SSLRandomSeed connect builtin > > #SSLRandomSeed startup file:/dev/random 512 > > #SSLRandomSeed startup file:/dev/urandom 512 > > #SSLRandomSeed connect file:/dev/random 512 > > #SSLRandomSeed connect file:/dev/urandom 512 > > SSLRandomSeed startup file:/dev/arandom 512 > > > > # Logging: > > # The home of the dedicated SSL protocol logfile. > > Errors are > > # additionally duplicated in the general error log > > file. Put > > # this somewhere where it cannot be used for > > symlink attacks on > > # a real server (i.e. somewhere where only root > > can write). > > # Log levels are (ascending order: higher ones > > include lower ones): > > # none, error, warn, info, trace, debug. > > SSLLog logs/ssl_engine_log > > SSLLogLevel info > > > > </IfModule> > > > > <IfDefine SSL> > > > > ## > > ## SSL Virtual Host Context > > ## > > > > <VirtualHost *:443> > > ServerAdmin web@mydomain.org > > DocumentRoot /var/www/virthosts/mail > > ServerName mail.mydomain.org > > SSLEngine on > > SSLCertificateFile /etc/ssl/webmail.crt > > SSLCertificateKeyFile > > /etc/ssl/private/webmail.key > > <Location /> > > SSLRequireSsl > > </Location> > > </VirtualHost> > > > > <VirtualHost *:443> > > ServerAdmin web@mydomain.org > > DocumentRoot /var/www/virthosts/calendar > > ServerName calendar.mydomain.org > > SSLEngine on > > SSLCertificateFile /etc/ssl/calendar.crt > > SSLCertificateKeyFile > > /etc/ssl/private/calendar.key > > <Location /> > > SSLRequireSsl > > </Location> > > <Directory /var/www/virthosts/calendar> > > Order allow,deny > > Allow from all > > </Directory> > > <Location /cgi-bin/> > > SetHandler perl-script > > PerlHandler Apache::Registry > > #PerlHandler Apache::PerlRun > > Options ExecCGI > > PerlSendHeader On > > </Location> > > </VirtualHost> > > # > > <VirtualHost _default_:443> > > # General setup for the virtual host > > #DocumentRoot /var/www/htdocs > > #ServerName new.host.name > > #ServerAdmin you@your.address > > #ErrorLog logs/error_log > > #TransferLog logs/access_log > > > > # SSL Engine Switch: > > # Enable/Disable SSL for this virtual host. > > SSLEngine on > > > > # SSL Cipher Suite: > > # List the ciphers that the client is permitted to > > negotiate. > > # See the mod_ssl documentation for a complete > > list. > > #SSLCipherSuite > > ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP > > > > # Server Certificate: > > # Point SSLCertificateFile at a PEM encoded > > certificate. If > > # the certificate is encrypted, then you will be > > prompted for a > > # pass phrase. Note that a kill -HUP will prompt > > again. A test > > # certificate can be generated with `make > > certificate' under > > # built time. > > SSLCertificateFile /etc/ssl/server.crt > > > > # Server Private Key: > > # If the key is not combined with the certificate, > > use > === message truncated === > > > > > __________________________________________________ __ > Start your day with Yahoo! - make it your home page > http://www.yahoo.com/r/hs > > __________________________________________________ ____________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager majordomo@modssl.org __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org 
|
Linear Mode
