Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[SOLVED] Apache vhosts problem
 View unanswered posts
View posts from last 24 hours

rackathon
 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
yarug
Tux's lil' helper
Tux's lil' helper


Joined: 01 Dec 2004
Posts: 79
PostPosted: Tue Jun 10, 2008 9:38 am    Post subject: [SOLVED] Apache vhosts problem Reply with quote
Hi,

I have a problem running a second named SSL vhost. It is returning the wrong SSL certificate. Hope someone is able to assist...

First off, when starting Apache, I get the following warning:

apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

I've searched the 'net and I found that this should be solved by:

1) a valid hostname in /etc/conf.d/hostname:

Code:
# /etc/conf.d/hostname

# Set to the hostname of this machine
HOSTNAME="x"


2) a valid "domain" entry in /etc/resolv.conf

Code:
nameserver xx.xx.xx.xx
nameserver xx.xx.xx.xx
domain x.com


So I think I have configured this part correctly. The 'hostname' command returns 'x'.

The "real" problem I have is the following:

I run an SSL vhost with ServerName localhost and another SSL vhost with ServerName a.x.com (note: not x.x.com!). Here is the relevant config for /etc/apache2/vhosts.d/00_default_vhost.conf:

Code:
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
# see bug #178966 why this is in here

# When we also provide SSL we have to listen to the HTTPS port
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
Listen 443

# Use name-based virtual hosting.
NameVirtualHost *:443

<VirtualHost _default_:443>
        ServerName localhost
        Include /etc/apache2/vhosts.d/default_vhost.include
        ErrorLog /var/log/apache2/ssl_error_log
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key


The other SSL vhost configuration (in /etc/apache/vhosts.d/01_a_ssl_vhost.conf) is as follows:

Code:
<IfDefine SSL>
<IfModule ssl_module>
<VirtualHost *:443>
        ServerName a.x.com
        Include /etc/apache2/vhosts.d/a_vhost.include
        ErrorLog /var/log/apache2/ssl_error_log
        SSLCertificateFile /etc/apache2/ssl/a.x.com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/a.x.com.key


When I start Apache I get the following message:

Code:
 * Starting apache2 ...
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Apache/2.2.8 mod_ssl/2.2.8 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server a.x.com:443 (RSA)
Enter pass phrase:


So at least when starting up it is loading the correct certificate for the host a.x.com as this certificate is password protected.

x.x.com and a.x.com point to the same public IP address.

However, when I now access https://a.x.com it is sending the default Apache certificate as defined by the _default_ vhost. I was expecting it to use the certificate for a.x.com? Strange thing is that a.x.com uses a different document root from x.x.com and when I accept the wrong certificate I do end up at the correct document root of a.x.com!

I'm sure I made a configuration error somewhere in NameVirtualHost or the VirtualHost directive, but I cannot understand where?

Any help appreciated,
Nes

Last edited by yarug on Tue Jun 10, 2008 12:13 pm; edited 1 time in total
Back to top
View user's profile Send private message
steveb
Veteran
Veteran


Joined: 18 Sep 2002
Posts: 4564
PostPosted: Tue Jun 10, 2008 11:19 am    Post subject: Reply with quote
The behavior you have is absolute normal with NameVirtualHost's. I could try to explain it to you but better search the web as there is a gazillion sites explaining why the problem exists.

Even the Apache documentation has an entry for that situation -> Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?

// Steve
Back to top
View user's profile Send private message
nativemad
Guru
Guru


Joined: 30 Aug 2004
Posts: 502
Location: Switzerland
PostPosted: Tue Jun 10, 2008 11:39 am    Post subject: Reply with quote
steveb: There was an article about it in a recent "Linux magazin"...It is possible (called SNI, defined in rfc 4366, chapter 3.1)!
There are some patches around for mod_openssl and/or mod_gnutls, also for lighty...

But i found it quite easy to setup, with a reverse-ssl-proxy in front (nginx.net).

It is also not supported in every browser... My konqueror for example always picks up the first defined in nginx for that ip... But firefox gets it right! :P

Cheers...
_________________
Power to the people!
Back to top
View user's profile Send private message
yarug
Tux's lil' helper
Tux's lil' helper


Joined: 01 Dec 2004
Posts: 79
PostPosted: Tue Jun 10, 2008 12:12 pm    Post subject: Reply with quote
Thanks all. I never knew. I'll see if I can work around the problem. Thank you for your replies!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2006 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. Powered by phpBB 2.0.22-gentoo-p6 © 2001, 2002 phpBB Group