CentOS - Apr 2008 - ssl and NameVirtualHost

I recently aquired a Verisign SSL certificate for my web server on  
Centos 4, with apache 2.0.59 from centosplus.

It however doesn't seem to be working the way I've set it up,  
browsers connect but are told the certiticate is not recognized.  
Showing more info, the information looks  correct.

I think it has probably to do with the fact that I'm using the  
certificate on a virtual named host, and I wonder If any body has  
experience doing this? A few places in the apache documentation  
suggest that SSL cannot be used with name based virtual hosting, but  
I don't if that means, not at all, or not with multiple named hosts.

I have multiple NameVirtualHost on port 80, but will only plan to use  
one of the names on port 443.

The start of the section in my ssl.conf goes like this:


<VirtualHost _default_:443>
     ServerName nameprotected.domain.edu:443
     ServerAdmin me at domain.edu
     DocumentRoot /var/www/docs/nameprotected


nameprotected.domain.edu  is a DNS CNAME to the actual host.

How do folks do SSL and virtual hosts? multiple IP addresses is not  
an option for me.

TIA
Tony Schreiner

On Wed, Apr 9, 2008 at 2:22 PM, Tony Schreiner <schreian at bc.edu> wrote:
>  nameprotected.domain.edu  is a DNS CNAME to the actual host.
>
>  How do folks do SSL and virtual hosts? multiple IP addresses is not an
> option for me.
It better be, because for apache 2.0, it's the ONLY way you can do vhosts.
You have to have 1 ip per vhost for ssl. This is in the apache documentation

For httpd 2.2, you can do name based vhosts, but not with standard ssl
certs like verisign ships.


-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell

Tony Schreiner wrote:
> I recently aquired a Verisign SSL certificate for my web server on 
> Centos 4, with apache 2.0.59 from centosplus.
>
> It however doesn't seem to be working the way I've set it up,
browsers
> connect but are told the certiticate is not recognized. Showing more 
> info, the information looks  correct.
>
> I think it has probably to do with the fact that I'm using the 
> certificate on a virtual named host, and I wonder If any body has 
> experience doing this? A few places in the apache documentation 
> suggest that SSL cannot be used with name based virtual hosting, but I 
> don't if that means, not at all, or not with multiple named hosts.
>
> I have multiple NameVirtualHost on port 80, but will only plan to use 
> one of the names on port 443.
>
> The start of the section in my ssl.conf goes like this:
>
>
> <VirtualHost _default_:443>
>     ServerName nameprotected.domain.edu:443
>     ServerAdmin me at domain.edu
>     DocumentRoot /var/www/docs/nameprotected
>
>
> nameprotected.domain.edu  is a DNS CNAME to the actual host.
the ServerName should match the name in the certificate.
>
> How do folks do SSL and virtual hosts? multiple IP addresses is not an 
> option for me.

Tony Schreiner wrote on Wed, 9 Apr 2008 14:22:22 -0400:
> It however doesn't seem to be working the way I've set it up,  
> browsers connect but are told the certiticate is not recognized.
Unfortunately, the most important information is missing from your 
explanation: please give the exact URL, so one can see the *actual* 
message and the actual certificate. From first "sight" it looks like
the
site is not using the certificate you think it uses.

FYI: You can have *one* certificate per IP address. It doesn't matter if 
name-based or not. (So, if you want to have 5 name-based SSL virtual hosts 
you have to use the same certificate for all of them. That's obviously not 
the case for you.)

Kai

-- 
Kai Sch?tzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Tony Schreiner wrote:
> I recently aquired a Verisign SSL certificate for my web server on 
> Centos 4, with apache 2.0.59 from centosplus.
> 
> It however doesn't seem to be working the way I've set it up,
browsers
> connect but are told the certiticate is not recognized. Showing more 
> info, the information looks  correct.
> 
> I think it has probably to do with the fact that I'm using the 
> certificate on a virtual named host, and I wonder If any body has 
> experience doing this? A few places in the apache documentation suggest 
> that SSL cannot be used with name based virtual hosting, but I don't if
> that means, not at all, or not with multiple named hosts.
> 
> I have multiple NameVirtualHost on port 80, but will only plan to use 
> one of the names on port 443.
> 
> The start of the section in my ssl.conf goes like this:
> 
> 
> <VirtualHost _default_:443>
>     ServerName nameprotected.domain.edu:443
>     ServerAdmin me at domain.edu
>     DocumentRoot /var/www/docs/nameprotected
> 
> 
> nameprotected.domain.edu  is a DNS CNAME to the actual host.
> 
> How do folks do SSL and virtual hosts? multiple IP addresses is not an 
> option for me.
> 
This is how I do it:
NameVirtualHost IP.AD.DR.ESS:443

<VirtualHost IP.AD.DR.ESS:443>
     SSLEngine On
     SSLCertificateFile path/to/domain.crt
     SSLCertificateKeyFile path/to/domain.key
     ServerName domain.tld
     ServerAdmin webmaster at domain.tld
     DocumentRoot /path/to/webroot
     ErrorLog /path/to/logs/errors.log
     CustomLog /path/to/logs/access.log combined
</VirtualHost>

Rick