SSL Problem Not Found in Other Threads

Discussion in 'Installation/Configuration' started by sonoracomm, Mar 4, 2007.

  1. sonoracomm

    sonoracomm New Member

    Hi Folks,

    My problem is that when I try to access the only SSL-enabled web site on my server, the web server presents me with the wrong certificate. It works; it's just the wrong certificate (localhost.localdomain).

    I have followed instructions posted elsewhere in these forums by Till and Falco to create a CSR and paste/save the CACert.org certificate. The Vhosts_ispconfig.conf looks OK to me and is only included once in httpd.conf. I made no hand edits anywhere (in recent memory...this is not a new problem).

    The certificate the server presents is, I believe, /etc/httpd/conf/ssl.crt/server.crt pointed to by /etc/httpd/conf.d/ssl.conf.
    SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

    Maybe there was some (historic) modification to /etc/httpd/conf.d/ssl.conf causing this problem?

    The only error I see in the /var/www/web1/log/error.log when I restart is "[warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?".

    Any ideas anyone?

    Thanks in advance,

    G
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Are you able to access this website without SSL or do you get the shared IP page?
     
  3. sonoracomm

    sonoracomm New Member

    Everything works...and has been...just with the wrong certificate.

    I can't remember when this started or what kicked it off, but I have to suspect is was a web application application install or an upgrade. A yum update, maybe?

    Thanks,

    G
     
  4. sonoracomm

    sonoracomm New Member

    I temporarily fixed the problem by renaming these two files:

    /etc/httpd/conf/ssl.crt/server.crt
    /etc/httpd/conf/ssl.key/server.key

    and used symbolic links to the corresponding files in web1:

    ln -s /etc/httpd/conf/ssl.key/server.key /var/www/web1/ssl/www.sonoracomm.com.key
    ln -s /var/www/web1/ssl/www.sonoracomm.com.crt /etc/httpd/conf/ssl.crt/server.crt

    Then restarting the web server:

    /etc/init.d/httpd restart
    /etc/init.d/ispconfig_server restart

    I know this is not the right way to fix it, but it works.

    G
     
  5. sonoracomm

    sonoracomm New Member

    Web Site is Using the Wrong SSL Certificate

    I just installed a fresh ISPConfig installation on a fresh Centos 5 Perfect Install and I have the same problem I had on a previous Centos 4 server. I can't believe I'm the only one! ;-)

    This time, I have not come up with a work-around.

    When I try to access the first web site, and the first to be configured as SSL enabled, via SSL, I am presented with a certificate for localhost.localdomain. Through testing, I determined it is using this certificate:

    /etc/pki/tls/certs/localhost.crt

    But it should be using the cert in web1.

    I added a second IP addres and enabled SSL on another web site. It works as it should! It uses the cert in web17.

    Any clues anyone?

    Thanks in advance,

    G
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Please make sure that you do not have any SSL vhosts enabled in your apache configuration beside the vhsosts created by ISPConfig.
     
  7. sonoracomm

    sonoracomm New Member

    Hi Till,

    Thanks much for your response.

    Unfortunately, at my level of Apache skill, it may not tell me enough.

    There are no references to ssl or 443 in the main httpd.conf.

    The Vhosts_ispconfig.conf is included only once and my testing shows it is generated entirely by ISPConfig.

    There is a <VirtualHost _default_:443> section in /etc/httpd/conf.d/ssl.conf and it points at the problem localhost certificate. This is most likely the cause, somehow, of my problems.

    I tried removing the <VirtualHost _default_:443> section from the file. I also tried renaming the ssl.conf file. In both cases Apache will not restart.

    Do you have any further suggestions for me?

    TIA,

    G
     
  8. falko

    falko Super Moderator ISPConfig Developer

    What'S in Vhosts_ispconfig.conf, and what's the output of
    Code:
    ifconfig
    ?
     
  9. sonoracomm

    sonoracomm New Member

    Hi Falco,

    Thanks so much for your time.

    Here are the results if ifconfig:

    eth0 Link encap:Ethernet HWaddr 00:16:3E:38:F6:01
    inet addr:192.245.12.114 Bcast:192.245.12.255 Mask:255.255.255.0
    inet6 addr: fe80::216:3eff:fe38:f601/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:471281 errors:0 dropped:0 overruns:0 frame:0
    TX packets:149418 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:85985564 (82.0 MiB) TX bytes:66483225 (63.4 MiB)

    eth0:0 Link encap:Ethernet HWaddr 00:16:3E:38:F6:01
    inet addr:192.245.12.116 Bcast:192.245.12.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:37053 errors:0 dropped:0 overruns:0 frame:0
    TX packets:37053 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:5463001 (5.2 MiB) TX bytes:5463001 (5.2 MiB)

    Here are the contents of the vhosts file:

    http://www.sonoracomm.com/dmdocuments/Vhosts_ispconfig.conf

    (If you use https:// you will see the incorrect certificate too)

    Thanks,

    G
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Which exact error message do you get in the apache error log when you remove the default ssl vhost and restart apache?
     
  11. sonoracomm

    sonoracomm New Member

    Thanks for your time, Till.

    I beat this up and I looked in every log file I could find including /root/ispconfig/httpd/logs/*. There are no error messages at all. Apache just doesn't start when I do:

    service httpd stop
    service httpd start

    or if I do

    service httpd restart

    I deleted the entire section <VirtualHost _default_:443>...</VirtualHost> from ssl.conf. Obviously, it is necessary somehow. I just don't know how. :mad:

    Also, this command outputs the correct results:

    openssl x509 -in /var/www/web1/ssl/www.sonoracomm.com.crt -noout -text

    I sure hope I am learning something from this frustration...

    Thanks,

    G
     
    Last edited: Jul 28, 2007
  12. sonoracomm

    sonoracomm New Member

    just a bump...
     

Share This Page