ISPConfig 3 / Apache Crash / SNI

[Pasco]

Hi 2gether

I faced a very strange behavior and got a big problem now.

I upgraded to ISPConfig 3.0.4. Everything worked liked a charm. Then I wanted to try out SNI for multiple SSL on one IP. So I activated SSL on two different webs. Which didn't worked. I alway got the one (the first activated SSL Web) certificate, no matter if I took the one or other URL from the both SSL activated webs.

Then all of a sudden apache2 didn't worked anymore. I had a look into the apache2 log:

[Wed Nov 16 17:08:02 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Nov 16 17:08:02 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Wed Nov 16 17:08:02 2011] [notice] Digest: generating secret for digest authentication ...
[Wed Nov 16 17:08:02 2011] [notice] Digest: done
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imagick.ini on line 1 in Unknown on line 0
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imap.ini on line 1 in Unknown on line 0
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mcrypt.ini on line 1 in Unknown on line 0
[Wed Nov 16 17:08:02 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Nov 16 17:08:02 2011] [notice] Apache/2.2.14 (Ubuntu) DAV/2 mod_fcgid/2.3.4 PHP/5.3.2-1ubuntu4.10 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-01-10) mod_ssl/2.2.14 OpenSSL/0.9.8k configured -- resuming normal operations
[Wed Nov 16 17:08:05 2011] [notice] caught SIGTERM, shutting down

Then I tried to restart apache2 with /etc/init.d/apache2

I got 2 errors:

* Starting web server apache2 Warning: DocumentRoot [/var/www/[one_of_my_webs_SYMLINK]/web] does not exist
[Wed Nov 16 18:22:52 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

[fail]

So apache2 doesn't start anymore, even not the ISPConfig Webpanel..

I think I also actived "VServer-Server"..perhaps that was the problem?

And I tried to "Send a Message" or "Read a Message" in the Webpanel..nothing happend and then apache2 crashed down and doesn't start again.

Can anybody please help me to get apache2/ISPConfig 3 running again?

Thanks so much again in advance
P@sco

[till]

This can have two resaons:

a) Either the apache version or openssl version on your server does not support SNI. See wikipedia which server versions and browsers support SNI: http://en.wikipedia.org/wiki/Server_Name_Indication
b) The ssl cert of the second site is corrupted and has to be recreated.

Quote:

I think I also actived "VServer-Server"..perhaps that was the problem?

Thats not related.

Quote:

Can anybody please help me to get apache2/ISPConfig 3 running again?

http://www.howtoforge.com/forums/sho...55&postcount=2

[Pasco]

First of all: thanks for your reply and help.

Following are the versions of my apache2 and openssl:

Server version: Apache/2.2.14 (Ubuntu)
Server built: Nov 3 2011 03:29:23

OpenSSL 0.9.8k 25 Mar 2009

This versions should support SNI following http://en.wikipedia.org/wiki/Server_Name_Indication.

So I just activate SSL on two different webs and SNI should work? (with a SNI capable browser of course)

Quote:

Quote:
Can anybody please help me to get apache2/ISPConfig 3 running again?
http://www.howtoforge.com/forums/sho...55&postcount=2

Great, that was the solution! Thanks a lot Till..you saved my day, apache2 is running again .


But why do I still get:

Code:

Warning: DocumentRoot [/var/www/[one_of_my_webs_SYMLINK]/web] does not exist

I deleted the concerning web2 a day ago via webpanel. I had no error message. Should I delete the still existing symlink in /var/www manually?

Thx
p@sco

[till]

Quote:

I deleted the concerning web2 a day ago via webpanel. I had no error message. Should I delete the still existing symlink in /var/www manually?

No. Delete the symlink for the website that was removed in the /etc/apache2/sites-enabled folder

[Pasco]

OK I managed this, thanks.

If I enable SSL on two webs at the same time, I got still this error, if I start apache2:

Code:

 * Restarting web server apache2                                                [Sun Nov 20 17:40:45 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
 ... waiting [Sun Nov 20 17:40:47 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
                                                                         [ OK ]

When I try to access the webs by https I got always the cert from the first enabled SSL web and it redirects me always to that web.

In the vhost-file there is configured a virtual host on *:443 and the paths to the certs of the corresponding web are correct set.

apache2 and openssl Version are SNI capable. My browser too (Firefox Vers. 3.6.24 for Ubuntu)

I don't get it. What I'm doing wrong?

[cbj4074]

I had the same issue. I have the solution, but let's outline the problem more thoroughly, first.


I want to take advantage of SNI support in ISPConfig > 3.0.4, but when I (re)start Apache, I see the following:

Code:

# service apache2 restart
 * Restarting web server apache2
[Thu Dec 15 09:03:32 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
... waiting
[Thu Dec 15 09:03:33 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

The relevant Apache documentation ( http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI ) states:

Quote:

How can you tell if your Apache build supports SNI? ... If SNI is built in, then the error log will show "[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366).

My software supports SNI as evidenced by the following message in my error log upon Apache startup:

Code:

[Thu Dec 15 09:03:33 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

Further, if I examine the Apache environment variables (e.g. via PHP's phpinfo() function), I see:

Code:

_SERVER["SSL_TLS_SNI"]	example.com

So, Apache and my browser are SNI-enabled.


And now for the solution:

As always, "the devil is in the details".

The only part you missed was adding this to your Apache configuration, e.g., at the top of /etc/apache2/httpd.conf (this is from the same document that is referenced above):

Code:

# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

Don't forget to restart Apache (a reload probably works just as well).

[cbj4074]

I will add that for servers configured with multiple IP addresses, and with "IPv4-Address" (and/or "IPv6-Address") set to specific IP addresses in the drop-down menu (in Sites -> example.com -> Domain [tab]), the following will appear in the Apache error log:

Code:

# service apache2 restart
 * Restarting web server apache2
[Thu Dec 15 09:25:17 2011] [warn] NameVirtualHost *:80 has no VirtualHosts
[Thu Dec 15 09:25:17 2011] [warn] NameVirtualHost *:443 has no VirtualHosts

This is because when a specific IP address is selected, ISPConfig includes the IP address in the VirtualHost definition (rightfully so), e.g.:

Code:

<VirtualHost 123.456.789.012:443>
</VirtualHost>

Selecting the "*" option for each of these domains should work, too, but it increases the number of warnings in the log on Apache (re)start, e.g.:

Code:

# service apache2 restart
 * Restarting web server apache2
[Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.1:80 has no VirtualHosts
[Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.1:443 has no VirtualHosts
[Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.2:80 has no VirtualHosts
[Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.2:443 has no VirtualHosts

As a final point of note, don't ignore this statement in the Apache SNI documentation:

Quote:

Since the first (default) vhost will be used for any request where the provided server name doesn't match another vhost, it is important that the first vhost have the most restrictive access control, otherwise clients can access restricted resources by sending a request for any unknown hostname. (This isn't actually any different from using virtual hosts without SSL.)

[Pasco]

Great! Thanks for that explanations and the solution! SNI works perfectly now !