SSL and ISPConfig/Apache issues (Help!)
we're trying to get SSL support working under ISPConfig (and/or Apache) and it's just not working. i'm hoping somebody here might have some suggestions.
it's a SLES10 machine with postfix-2.2.9-10 with courier-imap-4.0.6-15, apache2-2.2.3-16.2, mysql-5.0.18-20.8, i can't find the version number for ISPConfig, but i'm pretty sure it's the latest release,it was only installed last month.
the system is hosting about 20 or so virtual domains, and we want to enable squirrelmail over SSL, but we're having trouble getting apache to work with ssl properly. we don't know if this is an ISPConfig problem or something else in apache, so i'm here asking for help.
uname -a returns Linux <hostname removed> 22.214.171.124-0.9-smp #1 SMP Tue Feb 13 09:35:18 UTC 2007 i686 i686 i386 GNU/Linux
we're using openssl-0.9.8a-18.13, and that appears to be installed correctly. Webmin and postfix/courier are using SSL with no problems at all, webmin in particular runs on https perfectly. i can connect to pop3/pop3s, imap/imaps, all of that stuff works without a hitch.
but, when we try to connect to apache on any port via https, it doesn't work. we can connect to http://domain:80 and http://domain:443, but without ssl. i've tried everything i can think of, followed a number of howtos and advice from quite a few troubleshooting tips and tricks, but to no avail. nothing we try works. we've tried enabling SSL via the ISPConfig control panel, that doesn't seem to help either. what are we doing wrong?
if you need to see the various config files and so on, let me know. anyone with suggestions or questions can e-mail me directly, mac AT triad DOT ath DOT cx. we're kind of under a deadline, i'd like to get this sorted before the server has to go live. we can go live without SSL if we have to, but we'd really prefer to have this working first. thanks in advance for any help.
Have you enabled SSL as described here:
The configuration for SLES should be similar.
yes, SSL and Apache are configured just as that Howto says to do them.
what's happening is, everything indicates that we have to use the line "SSLEngine On" for the virtual host we want to enable SSL with. but if we use that, at startup Apache returns this error:
"[error] Init: Multiple RSA server certificates not allowed"
obviously it's loading another certificate somewhere, or thinks it is. we can't for the life of us see where in the config it's doing that, though, which is what makes me thing maybe it's something in ISPConfig, 'cause we can't find anything in Apache that might be responsible. perhaps we're looking in the wrong place or looking for the wrong thing?
indicates that this might be a problem with Apache and a statically compiled mod_ssl, and that recompiling Apache with mod_ssl as a DSO worked for him. i'm not sure that's our answer, but i'm running out of ideas, and it seems like an awful lot of folks have had issues getting SSL working under Apache 2.2.x.
any further suggestions before i either try to recompile with mod_ssl as a DSO or uninstall Apache 2.2.3 and revert to Apache 2.0.59?
Single IP address?
well, technically it has two IP addresses. the machine has two NICs, configured with one public IP address and one private IP address. it is set up to listen for internet traffic on the public IP and local network traffic on the private IP.
Apache and pretty much most all other services are set up to listen on both interfaces. could this be causing a problem? the current apache config doesn't name any addresses specifically, it uses *:80 and *:443 for pretty much everything.
what i can't figure out is where that error "Multiple RSA server certificates not allowed" is coming from when we load SSLEngine On. we've tried using Listen 443 https in listen.conf but that returns the same error. my guess is, it's calling SSL from somewhere else during apache's initial startup, but buggered if i can see where.
Without doing a bit of 'cheating', you can only have one SSL cert per IP address. See here:
It may be that it is barfing on the *:443 entry. My config only has a :443 when there is an active SSL, and never with a *:443...
yes, i understand this. one cert per address. so far as i know, we are only using one cert total. where is it loading the second cert? do we need to disable the second NIC in order to make this work?
what i'm having trouble understanding is how/why/where it's loading the second cert from. the config, as near as i can tell, only calls for the one cert. where are the references to any others?
would the *:443 cause it to respond with that multiple RSA error message? that's what i'd really like to figure out. what's causing that error. if we could at least identify, hopefully eliminate, whatever is referencing SSL and/or RSA before the SSLEngine On statement, that would really help.
I have a similar config, in that I have multiple domains on a server with 1 IP and only a couple of them need SSL. I have it set up with NO ssl enabled in ispconfig on any of the domains - vhosts has no ref at all to :443, and for any domain that needs ssl I add an entry in apache2.conf, below the line that calls vhosts_ispconfig.conf that is the def for that ssl virtual host:
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
ScriptAlias /cgi-bin/ /var/www/webxx/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_flag safe_mode Off
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Alias /error/ "/var/www/webxx/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/webxx/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/webxx/user/$1/web/$3
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
i.e. it is an ispconfig ssl server def, moved out of the vhosts file
Why do you add this manually? This config is written when you enable SSL in ISPConfig automatically.
|All times are GMT +2. The time now is 00:50.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.