December 16th, 2004, 11:06 PM
SSL Certificates Problem
I make 2 different ssl certificates with openssl for apache web server using these commands:
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 10000 -key ca.key -out ca.crt
and removing passphrase with openssl -rsa -in ca.key -out ca.key
With this, I made 2 certificates one for www.domain.com and another for mail.domain.com
I putted in httpd.conf with a syntax like that:
SSLCertificateFile /etc/httpd/newssl/ca.crt *
SSLCertificateKeyFile /etc/httpd/newssl/ca.key *
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
* = the host www.domain.com is another files named wwwca.key/crt not the sames ofcourse
And I have this problem
It workss just fine but either www.domain.com and mail.domain.com uses the mail.domain.com SSL Certificate. The problem: It cause warning messages when trying to reach https://www.domain.com saying that the crt is for mail.domain.com
Any solutions ?
Everyone gets away with something. No one gets away with everything...
December 17th, 2004, 08:52 AM
As far as I know, the SSL handshake occurs before the HTTP1.1
request resolves for the name-based virtual host directory.
Hence, Name-based virtual hosting cannot be used with SSL secure servers
because of that very nature of the SSL protocol.
I assume that the warning is for www.domain.com because (I guess)
a nslookup for your IP will return mail.domain.com.
The only way out I see is to switch to IP-based virtual hosts, which
might not be easily available.
/edit: quite a good read has been done by Robert Colbey.
excellent - I've stumpled across an answer, which is almost identical
to mine. However, two more suggestions are given:
2. could work for you,
2. Obtained a wildcard certificate in the form of "*.domain.com"
3. Use a different Port for each Name-Based Virtual Host
3. I guess not (if both are assumed to use port 80)
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
December 18th, 2004, 06:48 AM
Absolutely right you must use IP based vrtual hosts. It's the only way I ever got it to work. That was such a pain in the ass. SSL can kiss my ass. I hate that 2 weeks, wasted learning that.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson