FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-09-2008, 06:37 PM
"Jim Perrin"
 
Default ssl and NameVirtualHost

On Wed, Apr 9, 2008 at 2:22 PM, Tony Schreiner <schreian@bc.edu> wrote:

> nameprotected.domain.edu is a DNS CNAME to the actual host.
>
> How do folks do SSL and virtual hosts? multiple IP addresses is not an
> option for me.

It better be, because for apache 2.0, it's the ONLY way you can do vhosts.
You have to have 1 ip per vhost for ssl. This is in the apache documentation

For httpd 2.2, you can do name based vhosts, but not with standard ssl
certs like verisign ships.


--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 06:52 PM
mouss
 
Default ssl and NameVirtualHost

Tony Schreiner wrote:
I recently aquired a Verisign SSL certificate for my web server on
Centos 4, with apache 2.0.59 from centosplus.


It however doesn't seem to be working the way I've set it up, browsers
connect but are told the certiticate is not recognized. Showing more
info, the information looks correct.


I think it has probably to do with the fact that I'm using the
certificate on a virtual named host, and I wonder If any body has
experience doing this? A few places in the apache documentation
suggest that SSL cannot be used with name based virtual hosting, but I
don't if that means, not at all, or not with multiple named hosts.


I have multiple NameVirtualHost on port 80, but will only plan to use
one of the names on port 443.


The start of the section in my ssl.conf goes like this:


<VirtualHost _default_:443>
ServerName nameprotected.domain.edu:443
ServerAdmin me@domain.edu
DocumentRoot /var/www/docs/nameprotected


nameprotected.domain.edu is a DNS CNAME to the actual host.


the ServerName should match the name in the certificate.


How do folks do SSL and virtual hosts? multiple IP addresses is not an
option for me.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 07:15 PM
Tony Schreiner
 
Default ssl and NameVirtualHost

On Apr 9, 2008, at 2:37 PM, Jim Perrin wrote:

On Wed, Apr 9, 2008 at 2:22 PM, Tony Schreiner <schreian@bc.edu>
wrote:



nameprotected.domain.edu is a DNS CNAME to the actual host.

How do folks do SSL and virtual hosts? multiple IP addresses is
not an

option for me.


It better be, because for apache 2.0, it's the ONLY way you can do
vhosts.
You have to have 1 ip per vhost for ssl. This is in the apache
documentation


For httpd 2.2, you can do name based vhosts, but not with standard ssl
certs like verisign ships.




crud...

but thanks for the info
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 07:16 PM
Kai Schaetzl
 
Default ssl and NameVirtualHost

Tony Schreiner wrote on Wed, 9 Apr 2008 14:22:22 -0400:

> It however doesn't seem to be working the way I've set it up,
> browsers connect but are told the certiticate is not recognized.

Unfortunately, the most important information is missing from your
explanation: please give the exact URL, so one can see the *actual*
message and the actual certificate. From first "sight" it looks like the
site is not using the certificate you think it uses.

FYI: You can have *one* certificate per IP address. It doesn't matter if
name-based or not. (So, if you want to have 5 name-based SSL virtual hosts
you have to use the same certificate for all of them. That's obviously not
the case for you.)

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 07:21 PM
Rick Barnes
 
Default ssl and NameVirtualHost

Tony Schreiner wrote:
I recently aquired a Verisign SSL certificate for my web server on
Centos 4, with apache 2.0.59 from centosplus.


It however doesn't seem to be working the way I've set it up, browsers
connect but are told the certiticate is not recognized. Showing more
info, the information looks correct.


I think it has probably to do with the fact that I'm using the
certificate on a virtual named host, and I wonder If any body has
experience doing this? A few places in the apache documentation suggest
that SSL cannot be used with name based virtual hosting, but I don't if
that means, not at all, or not with multiple named hosts.


I have multiple NameVirtualHost on port 80, but will only plan to use
one of the names on port 443.


The start of the section in my ssl.conf goes like this:


<VirtualHost _default_:443>
ServerName nameprotected.domain.edu:443
ServerAdmin me@domain.edu
DocumentRoot /var/www/docs/nameprotected


nameprotected.domain.edu is a DNS CNAME to the actual host.

How do folks do SSL and virtual hosts? multiple IP addresses is not an
option for me.




This is how I do it:
NameVirtualHost IP.AD.DR.ESS:443

<VirtualHost IP.AD.DR.ESS:443>
SSLEngine On
SSLCertificateFile path/to/domain.crt
SSLCertificateKeyFile path/to/domain.key
ServerName domain.tld
ServerAdmin webmaster@domain.tld
DocumentRoot /path/to/webroot
ErrorLog /path/to/logs/errors.log
CustomLog /path/to/logs/access.log combined
</VirtualHost>

Rick
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 07:24 PM
"Jim Perrin"
 
Default ssl and NameVirtualHost

On Wed, Apr 9, 2008 at 3:15 PM, Tony Schreiner <schreian@bc.edu> wrote:

> crud...

Well, as Kai brings up, you get one cert per IP. If you're using
subdomains you *might* be able to get away with this.

*.example.com as a cert common name will work for foo.example.com, and
bar.example.com. etc. So long as you're using subdomain certs this
works okay. If you're doing different names, you're pretty sunk.

"Name-based virtual hosting cannot be used with SSL secure servers
because of the nature of the SSL protocol."
See http://httpd.apache.org/docs/2.0/vhosts/name-based.html for more info

--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 07:29 PM
Tony Schreiner
 
Default ssl and NameVirtualHost

On Apr 9, 2008, at 3:16 PM, Kai Schaetzl wrote:


Tony Schreiner wrote on Wed, 9 Apr 2008 14:22:22 -0400:


It however doesn't seem to be working the way I've set it up,
browsers connect but are told the certiticate is not recognized.


Unfortunately, the most important information is missing from your
explanation: please give the exact URL, so one can see the *actual*
message and the actual certificate. From first "sight" it looks
like the

site is not using the certificate you think it uses.

FYI: You can have *one* certificate per IP address. It doesn't
matter if
name-based or not. (So, if you want to have 5 name-based SSL
virtual hosts
you have to use the same certificate for all of them. That's
obviously not

the case for you.)

Kai



I was under the (obviously mistaken) impression that one certificate
per hostname was the rule. and I created the certificate with the
hostname I want to use; which is resolvable; and reachable with
regular http over port 80. And that is the only SSL enabled site I
want to use on this server.


Getting multiple IP addresses on my server will require a change of
plan of action for me; but may be possible.


Tony
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 08:35 PM
David Hrbác(
 
Default ssl and NameVirtualHost

Jim Perrin napsal(a):

"Name-based virtual hosting cannot be used with SSL secure servers
because of the nature of the SSL protocol."
See http://httpd.apache.org/docs/2.0/vhosts/name-based.html for more info



Jim, you are not right... SSL 3.0 support Server Name Indication and of
course TLS 1.0. For those who are interested there are repos for C{4,5}
located here:


http://fs12.vsb.cz/hrb33/el4/hrb-tls/stable/i386/
http://fs12.vsb.cz/hrb33/el5/hrb-tls/stable/i386/
http://fs12.vsb.cz/hrb33/el4/hrb-tls/stable/x86_64/
http://fs12.vsb.cz/hrb33/el5/hrb-tls/stable/x86_64/

Regards,
David
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 08:40 PM
"Jim Perrin"
 
Default ssl and NameVirtualHost

On Wed, Apr 9, 2008 at 4:35 PM, David Hrbác( <hrbac.conf@seznam.cz> wrote:

> Jim, you are not right... SSL 3.0 support Server Name Indication and of
> course TLS 1.0. For those who are interested there are repos for C{4,5}
> located here:

My comments were/are based on the apache documentation (linked
previously in the thread), and the distro base as it ships. Your
packages work, yes, but do they function with the verisign cert he's
already got?

--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 08:44 PM
"Jim Perrin"
 
Default ssl and NameVirtualHost

On Wed, Apr 9, 2008 at 4:35 PM, David Hrbác( <hrbac.conf@seznam.cz> wrote:

> Jim, you are not right... SSL 3.0 support Server Name Indication and of
> course TLS 1.0. For those who are interested there are repos for C{4,5}
> located here:

Since I should have included this in my previous reply... I don't mind
being wrong, so long as it's documented.

Can you show the config for CentOS 4, (without the TLS packages you
list) to do name based vhosts with ssl? I'd be interested in this
myself. Given that the apache documentation for 2.0.x says it can't be
done, I was basing my statements off that.

--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org