Apache2 and multiple SSL configs and name based virtual hosting

Discussion in 'Server Operation' started by Creator1326, Dec 8, 2005.

  1. Creator1326

    Creator1326 New Member

    Apache/2.0.55 DAV/2 PHP/5.0.4 mod_ssl/2.0.55 OpenSSL/0.9.7i

    I have two virtual hosts that need SSL certs and I have them configured but which ever one is listed is the one that sends out it's cert and overrides the other SSL config.

    I have tried to place IfDefines around the two SSL virtual hosts but still a no go, I can't figure out how to separate them to keep the SSL certs from overlapping. Any Ideas?

    above them are some related stuff and not necessarily in this order:
    Listen 172.16.0.2:80
    Listen 172.16.0.2:443
    NameVirtualHost 172.16.0.2:80
    NameVirtualHost 172.16.0.2:443

    AcceptMutex flock
    SSLProtocol all
    SSLPassPhraseDialog builtin
    SSLSessionCache dbm:/opt/apache2/logs/ssl_scache
    SSLSessionCacheTimeout 300
    SSLMutex flock:/opt/apache2/logs/ssl_mutex
    SSLRandomSeed startup builtin

    here's a one of the two SSL vhosts both are subdomains of two diffferent domains.

    <VirtualHost host.domain.org:443>
    # General setup for the virtual host
    DocumentRoot /opt/apache2/htdocs/host
    #ServerName has to match the server you entered into the CSR
    ServerName host.domain.org
    ServerAdmin webmaster@domain.org
    ErrorLog logs/host-error_log
    TransferLog logs/host-access_log
    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLProtocol all
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    # Path to your certificates and private key
    SSLCertificateFile /opt/apache2/conf/ssl.crt/host.crt
    SSLCertificateKeyFile /opt/apache2/conf/ssl.key/host.key
    SSLCACertificateFile /opt/apache2/conf/ssl.crt/ca.crt
    <Files ~ "\.(cgi|shtml|phtml|php3?|php5?)$">
    SSLOptions +StdEnvVars
    </Files>
    <Directory /opt/apache2/cgi-bin>
    SSLOptions +StdEnvVars
    </Directory>
    # correction for browsers that don't always handle SSL connections well
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    </VirtualHost>
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Are the hosts on different IP addresses? Apache supports only one SSL vhost for each IP address.
     
  3. Creator1326

    Creator1326 New Member

    Ahh that was it, that's pretty dumb that you can only have one SSL per IP.
     
  4. themachine

    themachine New Member HowtoForge Supporter ISPConfig Developer

    hmmm... no, not really. There is a reason for this limitation... it's not as if that just decided "hey, lets piss everyone off and make them use a unique IP".... ;)
     
  5. xinea

    xinea New Member

    apache..ssl vhost..one ip @

    i'm working on apache2 and i have created 2 ssl vhost for one IP @.. it works!.. i don't know if it is applicable with apache1.3..

    i know it has been a year since this question was asked.. maybe u knew it before now...

    anyway,
     
  6. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Which exact apache version do you use?
     
  7. xinea

    xinea New Member

    apache version

    Apache 2.0.54 (Debian GNU/Linux)
     
  8. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    If you do it this way, you'll always see warnings in your browser.
     
  9. xinea

    xinea New Member

    did u mean like these warnings on apache server console?

    >>[Thu Nov 02 06:10:22 2006] [warn] NameVirtualHost 192.168.2.2:443 has no VirtualHosts
    [Thu Nov 02 06:10:22 2006] [warn] NameVirtualHost 192.168.2.2:443 has no VirtualHosts<<

    if so, may i ask: does this affect the situation? i meant the security level?

    or the usual browser warning when moving from http to https? if so, u're absolutely right!
     
    Last edited: Nov 2, 2006
  10. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    These are no SSL warnings. I guess falko meaned that you get a SSL security warning in your browser thet the domain of your SSL certificate does not match the domain of the vhost.
     
  11. xinea

    xinea New Member

    yes, sure.. for that my certificate is for one vhost.. all the other vhosts will produce a warning when viewing through a browser....
    but you can proceed with it and get a secure site.

    an okay.. now i understand why you said before that we can only create one ssl vhost for an IP @ :eek: (sorry it took me a couple of days to explore it!)
     
    Last edited: Nov 2, 2006
  12. scheperw

    scheperw New Member

    Blanket Certs

    This is an old thread but wondering if anyone has had success with multiple SSL virtual hosts using a blanket cert (*.yourdomain.com). This would eliminate the browser warning as long as both sites utilize the same domain.
     

Share This Page