Date: Wed, 6 Dec 2000 20:24:02 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Jim King <jim@jimking.net> Cc: freebsd-isp@freebsd.org Subject: Re: Annoying problem with apache-modssl certs Message-ID: <Pine.BSF.4.21.0012062022470.25889-100000@ren.sasknow.com> In-Reply-To: <017001c05ff3$75efb7f0$04e48486@marble>
next in thread | previous in thread | raw e-mail | index | archive | help
Jim King wrote to Ryan Thompson: > This is a limitation of SSL. Named virtual hosts and SSL don't mix. You > need to give SSL hosts unique IP's. Ha! Yes, believe it or not, I knew this... I suppose the reason I've never encountered this problem is because, until now, different SSL hosts have always been on different IPs :-) Thanks, Jim, and everyone that has already replied. - Ryan > > ----- Original Message ----- > From: "Ryan Thompson" <ryan@sasknow.com> > To: <freebsd-isp@FreeBSD.ORG> > Sent: Wednesday, December 06, 2000 8:07 PM > Subject: Annoying problem with apache-modssl certs > > > > > > Hey all... Hope someone has seen this before... > > > > I've got an apache-modssl server (apache 1.3.9, mod-ssl 2.4.9, openssl > > 0.9.4) running under FreeBSB 3.4. > > > > A default entry is configured, using "server.crt" and "server.key", on a > > default server name. > > > > www.virtual1.tld > > I successfully added one virtual host, "virtual1.crt" / "virtual2.key". > > (Yes, I use a better naming convention than this :-) Actually, that site > > has been up for a while. > > > > www.virtual2.tld > > Now, on the same server, I desired to add another virtual host. So, after > > generating the key, csr, and obtaining signed .crt (Thawte), as I have > > always done, and adding another virtual host entry on the same IP/port 443 > > in httpd.conf, and restarting the secure server, the following happens: > > > > When I access https://www.virtual2.tld/ , I see virtual1's certificate > > (i.e., the browser complains that the certificate is signed and valid, but > > the common name doesn't match the site name). In fact, the certificate is > > the one for www.virtual1.tld. > > > > https://www.virtual1.tld/ and the default server work fine. > > > > If I accept the certificate for virtual2.tld, I actually see the correct > > page for https://www.virtual2.tld/. (I.e., a static .html page containing > > "Welcome to www.virtual2.tld" :-) > > > > Thinking that a bit strange, I swapped the order of virtual1 and virtual2 > > <VirtualHost w.x.y.z:443> </VirtualHost> sections. (So, virtual2 was > > listed first). The same thing happened, only differently :-) > > > > Accessing http://www.virtual2.tld/ (listed first in httpd.conf) correctly > > used virtual2.tld's certificate. > > > > Accessing http://www.virtual1.tld/ (listed last in httpd.conf) incorrectly > > used virtual1.tld's certificate. > > > > > > So, to sum this up, it appears as though: > > o My virtual host setup is correct insofar as apache will > > return the correct index page depending on the server > > name requested by the client. > > o Apache refuses to use anything but the FIRST certificate > > within the FIRST <virtualhost> directive. > > > > Strange...? > > > > -- > > Ryan Thompson <ryan@sasknow.com> > > Network Administrator, Accounts > > > > SaskNow Technologies - http://www.sasknow.com > > #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 > > > > Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon > > Toll-Free: 877-727-5669 (877-SASKNOW) North America > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > -- Ryan Thompson <ryan@sasknow.com> Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012062022470.25889-100000>