ssl and multiple virtual hosts in apache

[max123]

hi all,
ive read the stuff on apache and other posting on this topic but still cant seem to figure out what i'm doing wrong.
so i get that i cant use name based virtaul hosts for ssl. i also get that need to use a sp ip address for each virtual host configured in the httpd.conf.
so i do following :
but it doesnt work.
and i cant seem to figure out why cus from all the reading ive done i'm doing everything right.
i have an ip interface (.yyy) on physical machine with ip .xxx. i have therfore ip based virtual hosts as below and listen directives as below and a NameVirtualHost for each ip and port . But i still dont get apache to come up.
can anyone pt me to the possibly the obvious/or not so obvoius thing that i'm doing wrong?

my httpd.conf file is as below

... some irrelavant directives eg.
ServerRoot "APACHE_ROOT_DIR"
<IfModule !mpm_winnt.c>
<IfModule !mpm_netware.c>
#LockFile logs/accept.lock
</IfModule>
</IfModule>

<IfModule prefork.c>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 5000
</IfModule>
...
...then juicy stuff...
Listen 162.109.xx.xxx:9090
Listen 162.109.xx.yyy:9095
...


NameVirtualHost 162.109.xx.xxx:9090
NameVirtualHost 162.109.xx.yyy:9095

<VirtualHost 162.109.xx.xxx:9090>
ServerAdmin me@162.109.xx.xxx
DocumentRoot "/usr/local/AdventNet/WebNMS"
ServerName 162.109.xx.xxx
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
SSLCertificateKeyFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.key
SSLCertificateChainFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/cachain.crt

</VirtualHost>

<VirtualHost 162.109.xx.yyy:9095>
DocumentRoot "/usr/local/AdventNet/virtual"
ServerAdmin me@162.109.xx.yyy
ServerName 162.109.xx.yyy
SSLEngine on
SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/server.cer
SSLCertificateKeyFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/server.key
SSLCertificateChainFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/cachain.crt
</VirtualHost>

Include "TOMCAT_ROOT_DIR/conf/mod_jk.conf-nms"
Alias /perf/ 'WEBNMS_ROOT_DIR/webclient/perf/'
# Entry for blocking webclient directory from listing
<Directory "WEBNMS_ROOT_DIR/webclient">
# Tyco turned this off to match BT security standards - PR00217
# Options FollowSymLinks
AllowOverride None
</Directory>

JkMount /*.ajax ajp13
JkMount /*.spring ajp13


in ssl.conf i have following:

....taken out some comments to make the posting brief....
SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache none
#SSLSessionCache shmht:logs/ssl_scache(512000)
#SSLSessionCache shmcb:logs/ssl_scache(512000)
#SSLSessionCache dbm:logs/ssl_scache
#SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
#SSLMutex file:logs/ssl_mutex

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

##
## SSL Virtual Host Context
##



# General setup for the virtual host
#DocumentRoot "C:/Progra~1/AdventNet/WebNMS"
#ServerName GBA85WS2153
#ErrorLog logs/error_log
#TransferLog logs/access_log

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
#NA SSLEngine on

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
#SSLCertificateFile /usr/local/apache_2.0.43/conf/ssl.crt/server.crt
#SSLCertificateFile /usr/local/apache_2.0.43/conf/ssl.crt/server-dsa.crt
#NA SSLCertificateFile conf/ssl.crt/server.cer
#SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.cer
#SSLCertificateFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/server.cer

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /usr/local/apache_2.0.43/conf/ssl.key/server.key
#SSLCertificateKeyFile /usr/local/apache_2.0.43/conf/ssl.key/server-dsa.key
#NA SSLCertificateKeyFile conf/ssl.crt/server.key
#SSLCertificateKeyFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/server.key
#SSLCertificateKeyFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/server.key

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /usr/local/apache_2.0.43/conf/ssl.crt/ca.crt
#SSLCertificateChainFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/cachain.crt
#SSLCertificateChainFile /usr/local/AdventNet/WebNMS/apache/conf/ssl.crt/virtual/cachain.crt


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0



also looking in apache error gte following:

[Thu Nov 08 13:38:50 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:38:50 2012] [info] Loading certificate & private key of SSL-aware server
[Thu Nov 08 13:38:50 2012] [info] Loading certificate & private key of SSL-aware server
[Thu Nov 08 13:38:50 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Nov 08 13:38:51 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Nov 08 13:38:51 2012] [info] Init: Initializing (virtual) servers for SSL
[Thu Nov 08 13:38:51 2012] [info] Configuring server for SSL protocol
[Thu Nov 08 13:38:51 2012] [info] Configuring server for SSL protocol
[Thu Nov 08 13:38:51 2012] [info] mod_ssl/2.2.10 compiled against Server: Apache/2.2.10, Library: OpenSSL/0.9.7d
[Thu Nov 08 13:38:51 2012] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/AdventNet/WebNMS/apache/logs/jk-runtime-status
[Thu Nov 08 13:38:51 2012] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:38:51 2012] [info] Loading certificate & private key of SSL-aware server
[Thu Nov 08 13:38:51 2012] [info] Loading certificate & private key of SSL-aware server
[Thu Nov 08 13:38:51 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Nov 08 13:38:53 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Nov 08 13:38:53 2012] [info] Init: Initializing (virtual) servers for SSL
[Thu Nov 08 13:38:53 2012] [info] Configuring server for SSL protocol
[Thu Nov 08 13:38:53 2012] [info] Configuring server for SSL protocol
[Thu Nov 08 13:38:53 2012] [info] mod_ssl/2.2.10 compiled against Server: Apache/2.2.10, Library: OpenSSL/0.9.7d
[Thu Nov 08 13:38:53 2012] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/AdventNet/WebNMS/apache/logs/jk-runtime-status
[Thu Nov 08 13:38:53 2012] [notice] Digest: generating secret for digest authentication ...
[Thu Nov 08 13:38:53 2012] [notice] Digest: done
[Thu Nov 08 13:38:54 2012] [notice] Apache/2.2.10 (Unix) DAV/2 mod_ssl/2.2.10 OpenSSL/0.9.7d mod_jk/1.2.26 configured -- resuming normal operations
[Thu Nov 08 13:38:54 2012] [info] Server built: Oct 28 2008 10:34:09
[Thu Nov 08 13:39:34 2012] [info] [client 162.109.xxxxxx] Connection to child 0 established (server 162.109.xxxxx:443)
[Thu Nov 08 13:39:34 2012] [info] Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:39:36 2012] [info] Initial (No.1) HTTPS request received for child 0 (server 162.109.xxxxx:443)
[Thu Nov 08 13:39:36 2012] [error] [client 162.109.xxxxx] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet.nms.servlets.ConnectionCheckServlet
[Thu Nov 08 13:39:36 2012] [info] [client 162.109.xxxx] Connection to child 1 established (server 162.109.xxxx:443)
[Thu Nov 08 13:39:36 2012] [info] Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:39:36 2012] [info] Initial (No.1) HTTPS request received for child 1 (server 162.109.xxxx:443)
[Thu Nov 08 13:39:36 2012] [error] [client 162.109.xxxx] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet.nms.servlets.ConnectionCheckServlet
[Thu Nov 08 13:39:38 2012] [info] [client 162.109.xxxx] Connection closed to child 1 with standard shutdown (server 162.109.xxxx:443)
[Thu Nov 08 13:39:38 2012] [info] [client 162.109.xx.xxx] Connection closed to child 0 with standard shutdown (server 162.109.xx.xxx:443)
[Thu Nov 08 13:39:41 2012] [info] removed PID file /usr/local/AdventNet/WebNMS/apache/logs/httpd.pid (pid=11964)
[Thu Nov 08 13:39:41 2012] [notice] caught SIGTERM, shutting down

[max123]

ppl, how come i'm not getting any help here - have i asked an obvious nonsense question ive been reading and messing about with this issue for about a week now with no solution - would really appreciate some pointers even if they are to say that u need to do more homework cus the answer is too easy for this forum and we dont wish to answer?? or wrds to that effect , in case ppl can confirm my config files are correct and that they dont know why i get the issue that affirmation would aslo be good as i knwo not to then waste time looking into that section and can look elsewheer to resolve the issue.

basic problem.
have httpd.conf for multiple virtaual hosts which i think is correct form my reading .
have additonal ssl.conf not sure what that does cus i' defining my private key ect as part of virtual hosts ...

but without virtual hosts, it works (ie. apache starts ok) - in this case my httpd.conf has default server config no virtaul directive, ssl.conf is module done as include directive and probably creates a ssl virtual host and all that starts up fine i can go to https and stuff works but above changes to get 2 virtual hosts stops it from working and although done reading and tried alsorts of suggestion etc... can make it work.
any pointers will be helpful thanks.

[till]

The most likely reason that apache does not start related to ssl are:

1) One of the defined ssl certificate files (crt, key or chain file) is missing.
2) One of the certs is broken (if a singöe char in one of the files is wrong, apache will not start).
3) A ssl cert consists of two files, the certificate and the key. If the key and crt does not beling together, apache will not start.

In all of these 3 cases, apache will not throw an error, it just wont start.

To find the problem, comment ou all ssl vhosts except of one and also comment out the ssl cert lines in this vhost and try to start apache without ssl in this vhost. If it works, enable ssl just in thsi vhost, if it does not start anymore then create a new self signed ssl cert for this vhost and use just this crt and key (no chain) certificate and try again to to find the reason for yozr problem.

[max123]

Till,
Thanks.
i tried all your suggestions and basically even getting a basic non http didnt work, nor did a single ssl vhost.

i left all the default main server entries in httpd.conf and commented out vhost numbr 2, changed vhost 1 intially only server name, server admin, document root no ssl stuff - it didnt work and it still tried doing ssl , (assumed cus application startup script has lots ssl type statements)
then added in the ssl certificates etc... didnt work.
then as all ref for ssl were being mad eto /conf/ssl.conf and not httpd.conf .
i changed the diercetives from httpd.conf to ssl.conf similar to above.

ie ssl conf stated directive for enigne on and not in vhost etc...
still nothing worked.

my certificates are ok as they all work if i do the default setup.


i think its an issue with integration to AdventNet WebNMS application - what i would really appreciate is if any one out there has done multiple virtaul ssl vhosts in conjuction to adventNet webnms ?
as i think the issue is to do with the other startup, set senv.sh and config files that makeup the deployment of the webNMS product utilising a bundeled apache .. which are not allowing it work.

[ITG]

So lets examine your logs a little bit here...

Quote:

[Thu Nov 08 13:38:54 2012] [notice] Apache/2.2.10 (Unix) DAV/2 mod_ssl/2.2.10 OpenSSL/0.9.7d mod_jk/1.2.26 configured -- resuming normal operations
[Thu Nov 08 13:38:54 2012] [info] Server built: Oct 28 2008 10:34:09

The above tells me that apache has started. It is ready to begin serving requests at this point.

Quote:

[Thu Nov 08 13:39:34 2012] [info] [client 162.109.xxxxxx] Connection to child 0 established (server 162.109.xxxxx:443)
[Thu Nov 08 13:39:34 2012] [info] Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:39:36 2012] [info] Initial (No.1) HTTPS request received for child 0 (server 162.109.xxxxx:443)

Apache received a request from client 162.109.xxxxxx

Quote:

[Thu Nov 08 13:39:36 2012] [error] [client 162.109.xxxxx] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet.nms.servlets.ConnectionCheckServlet

Error message here shows that a file that the client asked for is not found.

Quote:

[Thu Nov 08 13:39:36 2012] [info] [client 162.109.xxxx] Connection to child 1 established (server 162.109.xxxx:443)
[Thu Nov 08 13:39:36 2012] [info] Seeding PRNG with 136 bytes of entropy
[Thu Nov 08 13:39:36 2012] [info] Initial (No.1) HTTPS request received for child 1 (server 162.109.xxxx:443)
[Thu Nov 08 13:39:36 2012] [error] [client 162.109.xxxx] File does not exist: /usr/local/AdventNet/WebNMS/unauthenticatedservlets/com.adventnet.nms.servlets.ConnectionCheckServlet

Looks like this was the second connection attempt, apache answered the request, but the file didn't exist.

Quote:

[Thu Nov 08 13:39:41 2012] [notice] caught SIGTERM, shutting down

Apache caught a SIGTERM kill code. This tells me that something issued a stop command or a kill command to apache's httpd process, and apache shut down due to the request sent to it.

Is there something in the WebNMS application that is sending the command to kill apache? I think i would look at that... It looks like your other configs are working because apache is starting. Keep your eye on the fact it's trying to find a file that isn't there.. maybe there is a path problem?

Hope this helps.