Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 16th November 2011, 18:32
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
Default ISPConfig 3 / Apache Crash / SNI

Hi 2gether

I faced a very strange behavior and got a big problem now.

I upgraded to ISPConfig 3.0.4. Everything worked liked a charm. Then I wanted to try out SNI for multiple SSL on one IP. So I activated SSL on two different webs. Which didn't worked. I alway got the one (the first activated SSL Web) certificate, no matter if I took the one or other URL from the both SSL activated webs.

Then all of a sudden apache2 didn't worked anymore. I had a look into the apache2 log:

[Wed Nov 16 17:08:02 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Nov 16 17:08:02 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Wed Nov 16 17:08:02 2011] [notice] Digest: generating secret for digest authentication ...
[Wed Nov 16 17:08:02 2011] [notice] Digest: done
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imagick.ini on line 1 in Unknown on line 0
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imap.ini on line 1 in Unknown on line 0
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mcrypt.ini on line 1 in Unknown on line 0
[Wed Nov 16 17:08:02 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Nov 16 17:08:02 2011] [notice] Apache/2.2.14 (Ubuntu) DAV/2 mod_fcgid/2.3.4 PHP/5.3.2-1ubuntu4.10 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-01-10) mod_ssl/2.2.14 OpenSSL/0.9.8k configured -- resuming normal operations
[Wed Nov 16 17:08:05 2011] [notice] caught SIGTERM, shutting down

Then I tried to restart apache2 with /etc/init.d/apache2

I got 2 errors:

* Starting web server apache2 Warning: DocumentRoot [/var/www/[one_of_my_webs_SYMLINK]/web] does not exist
[Wed Nov 16 18:22:52 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

[fail]

So apache2 doesn't start anymore, even not the ISPConfig Webpanel..

I think I also actived "VServer-Server"..perhaps that was the problem?

And I tried to "Send a Message" or "Read a Message" in the Webpanel..nothing happend and then apache2 crashed down and doesn't start again.

Can anybody please help me to get apache2/ISPConfig 3 running again?

Thanks so much again in advance
P@sco

Last edited by Pasco; 16th November 2011 at 19:09.
Reply With Quote
Sponsored Links
  #2  
Old 17th November 2011, 08:30
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,717
Thanks: 820
Thanked 5,322 Times in 4,175 Posts
Default

This can have two resaons:

a) Either the apache version or openssl version on your server does not support SNI. See wikipedia which server versions and browsers support SNI: http://en.wikipedia.org/wiki/Server_Name_Indication
b) The ssl cert of the second site is corrupted and has to be recreated.

Quote:
I think I also actived "VServer-Server"..perhaps that was the problem?
Thats not related.

Quote:
Can anybody please help me to get apache2/ISPConfig 3 running again?
http://www.howtoforge.com/forums/sho...55&postcount=2
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Pasco (17th November 2011)
  #3  
Old 17th November 2011, 12:54
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
Default

First of all: thanks for your reply and help.

Following are the versions of my apache2 and openssl:

Server version: Apache/2.2.14 (Ubuntu)
Server built: Nov 3 2011 03:29:23

OpenSSL 0.9.8k 25 Mar 2009

This versions should support SNI following http://en.wikipedia.org/wiki/Server_Name_Indication.

So I just activate SSL on two different webs and SNI should work? (with a SNI capable browser of course)

Quote:
Quote:
Can anybody please help me to get apache2/ISPConfig 3 running again?
http://www.howtoforge.com/forums/sho...55&postcount=2
Great, that was the solution! Thanks a lot Till..you saved my day, apache2 is running again .


But why do I still get:

Code:
Warning: DocumentRoot [/var/www/[one_of_my_webs_SYMLINK]/web] does not exist
I deleted the concerning web2 a day ago via webpanel. I had no error message. Should I delete the still existing symlink in /var/www manually?

Thx
p@sco
Reply With Quote
  #4  
Old 17th November 2011, 12:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,717
Thanks: 820
Thanked 5,322 Times in 4,175 Posts
Default

Quote:
I deleted the concerning web2 a day ago via webpanel. I had no error message. Should I delete the still existing symlink in /var/www manually?
No. Delete the symlink for the website that was removed in the /etc/apache2/sites-enabled folder
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 20th November 2011, 17:51
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
Default

OK I managed this, thanks.

If I enable SSL on two webs at the same time, I got still this error, if I start apache2:

Code:
 * Restarting web server apache2                                                [Sun Nov 20 17:40:45 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
 ... waiting [Sun Nov 20 17:40:47 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
                                                                         [ OK ]
When I try to access the webs by https I got always the cert from the first enabled SSL web and it redirects me always to that web.

In the vhost-file there is configured a virtual host on *:443 and the paths to the certs of the corresponding web are correct set.

apache2 and openssl Version are SNI capable. My browser too (Firefox Vers. 3.6.24 for Ubuntu)

I don't get it. What I'm doing wrong?

Last edited by Pasco; 20th November 2011 at 21:27.
Reply With Quote
  #6  
Old 15th December 2011, 18:25
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 392
Thanks: 29
Thanked 58 Times in 50 Posts
Default

I had the same issue. I have the solution, but let's outline the problem more thoroughly, first.


I want to take advantage of SNI support in ISPConfig > 3.0.4, but when I (re)start Apache, I see the following:

Code:
# service apache2 restart
 * Restarting web server apache2
[Thu Dec 15 09:03:32 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
... waiting
[Thu Dec 15 09:03:33 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
The relevant Apache documentation ( http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI ) states:

Quote:
How can you tell if your Apache build supports SNI? ... If SNI is built in, then the error log will show "[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366).
My software supports SNI as evidenced by the following message in my error log upon Apache startup:

Code:
[Thu Dec 15 09:03:33 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
Further, if I examine the Apache environment variables (e.g. via PHP's phpinfo() function), I see:

Code:
_SERVER["SSL_TLS_SNI"]	example.com
So, Apache and my browser are SNI-enabled.


And now for the solution:

As always, "the devil is in the details".

The only part you missed was adding this to your Apache configuration, e.g., at the top of /etc/apache2/httpd.conf (this is from the same document that is referenced above):

Code:
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
Don't forget to restart Apache (a reload probably works just as well).
Reply With Quote
The Following User Says Thank You to cbj4074 For This Useful Post:
Pasco (16th December 2011)
  #7  
Old 15th December 2011, 18:53
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 392
Thanks: 29
Thanked 58 Times in 50 Posts
Default

I will add that for servers configured with multiple IP addresses, and with "IPv4-Address" (and/or "IPv6-Address") set to specific IP addresses in the drop-down menu (in Sites -> example.com -> Domain [tab]), the following will appear in the Apache error log:

Code:
# service apache2 restart
 * Restarting web server apache2
[Thu Dec 15 09:25:17 2011] [warn] NameVirtualHost *:80 has no VirtualHosts
[Thu Dec 15 09:25:17 2011] [warn] NameVirtualHost *:443 has no VirtualHosts
This is because when a specific IP address is selected, ISPConfig includes the IP address in the VirtualHost definition (rightfully so), e.g.:

Code:
<VirtualHost 123.456.789.012:443>
</VirtualHost>
Selecting the "*" option for each of these domains should work, too, but it increases the number of warnings in the log on Apache (re)start, e.g.:

Code:
# service apache2 restart
 * Restarting web server apache2
[Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.1:80 has no VirtualHosts
[Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.1:443 has no VirtualHosts
[Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.2:80 has no VirtualHosts
[Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.2:443 has no VirtualHosts
As a final point of note, don't ignore this statement in the Apache SNI documentation:

Quote:
Since the first (default) vhost will be used for any request where the provided server name doesn't match another vhost, it is important that the first vhost have the most restrictive access control, otherwise clients can access restricted resources by sending a request for any unknown hostname. (This isn't actually any different from using virtual hosts without SSL.)
Reply With Quote
The Following 2 Users Say Thank You to cbj4074 For This Useful Post:
beemeo (24th July 2012), Pasco (16th December 2011)
  #8  
Old 16th December 2011, 10:08
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
 
Default

Great! Thanks for that explanations and the solution! SNI works perfectly now !
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fixing 404 Not Found Errors on Apache on Centos 5 x86_64 Dedi LinuxOnMyMac HOWTO-Related Questions 11 16th October 2010 04:29
ISPconfig and apache on centos 5.5 Hamra Installation/Configuration 4 9th October 2010 01:16
Ftp problems timeout reny2000 General 6 23rd December 2009 11:09
Loads of mysql connections to dbispconfig StrikerNL General 2 5th March 2009 14:31
ISPConfig installation into multiple OpenVZ containers letezo Installation/Configuration 11 3rd March 2009 22:47


All times are GMT +2. The time now is 07:39.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.