Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

Apache ssl questions for experts

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Apache ssl questions for experts
# 1  
Old 07-10-2008
Apache ssl questions for experts
Hi,

I have configured apache 2.0.59 with mod_ssl to set up a proxy to my app server. Incomming traffic https outgoing http. The listen port for the ssl port is 8050 not 443. When I start the server and I test it i get an error message. I googled for it and found the following expaination.

Your error: "[Hint: Subject CN in certificate not server name or
identical to CA!?]"

means: the Common Name in the certificate is not the same as the
ServerName in the URL - e.g. the certificate belongs to abcdef.com
but you are using it in a server whose URL is uvwxyz. This makes
the browser think your site is impersonating another site and so throws
a warning.

But what do I have to do to sove it?

Cheers
Markus
# 2  
Old 07-10-2008
You should regenerate your Apache server cert to reflect how people will access from the URL.

However, be noted that if your setup requires name-based virtual hosting this will not work. Make sure you read the following two FAQs and your case does not apply:

http://httpd.apache.org/docs/2.0/ssl...q.html#vhosts2
SSL/TLS Strong Encryption: FAQ - Apache HTTP Server
# 3  
Old 07-11-2008
Hi,

here my configuration:

The simple question is. Is this possible or not?


----------------------



#SSL PORT 1, LISTENS ON BOTH INTERFACES TO MAKE A LATER MIGRATION EASIER
Listen web1.service.de2.sp.somecompany.com:58401
Listen web1-fe.service.de2.sp.somecompany.com:58401
NameVirtualHost web1.service.de2.sp.somecompany.com:58401
NameVirtualHost web1-fe.service.de2.sp.somecompany.com:58401


#SSL PORT 2, LISTENS ON BOTH INTERFACES TO MAKE A LATER MIGRATION EASIER
Listen web1-fe.service.de2.sp.somecompany.com:58406
Listen web1.service.de2.sp.somecompany.com:58406
NameVirtualHost web1.service.de2.sp.somecompany.com:58406
NameVirtualHost web1-fe.service.de2.sp.somecompany.com:58406

######################################################################
###
### Host for HTTPS access
###

<VirtualHost web1.service.de2.sp.somecompany.com:58401 web1-fe.service.de2.sp.somecompany.com:58401>

ServerName service-lit-uk.sp.somecompany.com

SSLEngine on

LogLevel warn

ErrorLog "|/opt/SP/apacheas/current/bin/rotatelogs \
/opt/SP/apacheas/current/logs/http_error_58401_log.%Y%m%d%H%M 600 120"

CustomLog "|/opt/SP/apacheas/current/bin/rotatelogs \
/opt/SP/apacheas/current/logs/http_access_58401_log.%Y%m%d%H%M 600 120" combined

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

ProxyPass / http://l1-v10.service.de2.sp.somecompany.com:8081/
ProxyPassReverse / http://l1-v10.service.de2.sp.somecompany.com:8081/
ProxyHTMLURLMap http://l1-v10.service.de2.sp.somecompany.com:8081/ /
RequestHeader unset Accept-Encoding

SSLCertificateFile /opt/SP/apacheas/current/conf/service-uk.crt/service-uk.cer
SSLCertificateKeyFile /opt/SP/apacheas/current/conf/service-uk.crt/service-uk.key
SSLProtocol -all +TLSv1 +SSLv3

</VirtualHost>

##################################
###
### Host for OTHER Trigger
###
<VirtualHost web1.service.de2.sp.somecompany.com:58406 web1-fe.service.de2.sp.somecompany.com:58406>

ServerName service-lit-uk.sp.somecompany.com

SSLEngine on

LogLevel warn

ErrorLog "|/opt/SP/apacheas/current/bin/rotatelogs \
/opt/SP/apacheas/current/logs/http_error_58406.%Y%m%d%H%M 600 120"

CustomLog "|/opt/SP/apacheas/current/bin/rotatelogs \
/opt/SP/apacheas/current/logs/http_access_58406.%Y%m%d%H%M 600 120" combined

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

RequestHeader unset Accept-Encoding

ProxyPass / http://l1-v10.service.de2.sp.somecompany.com:8050/
ProxyPassReverse / http://l1-v10.service.de2.sp.somecompany.com:8050/
ProxyHTMLURLMap http://l1-v10.service.de2.sp.somecompany.com:8050/ /

SSLCertificateFile /opt/SP/apacheas/current/conf/service-uk.crt/service-uk.cer
SSLCertificateKeyFile /opt/SP/apacheas/current/conf/service-uk.crt/service-uk.key
SSLCACertificateFile /opt/SP/apacheas/current/conf/service-uk.crt/ca.cer
SSLProtocol -all +TLSv1 +SSLv3

</VirtualHost>

------------------------------------
# 4  
Old 07-12-2008
I think your case matches the name-based virtual hosting scenario mentioned in the FAQ, and dedicated SSL is only possible if you can switch to IP-based virtual hosting (that means multiple IP addresses one for each virtual host).
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Linux

Apache wildcard ssl on subdomain serves same page for non ssl virtualhosts

Issue observed: I have configured ng.my-site.com using widlcard ssl cert. When I hit https://www.my-site.com it loads ng.my-site.com website! please advise if I missed any concept / configs... Thank you! httpd.conf <VirtualHost *:80> ServerName www.my-site.com ServerAdmin... (0 Replies)
Discussion started by: ashokvpp
0 Replies

2. Shell Programming and Scripting

Couple of easy questions for experts on awk/sed

Hello Experts.. I have 3-4 C codes with Oracle SQL statements embedded. All the SQL statements starts with EXEC SQL keyword and ends with ;. I want to extract all the SQL statements out of these codes. I did awk '/^EXEC SQL/,/\;/' inputFile (I use this on all of the codes individually). That... (2 Replies)
Discussion started by: juzz4fun
2 Replies

3. IP Networking

configure apache to work with ssl

Hi, I need help to configure the apache to work with ssl. I have managed to create self-signed certificate according to the instruction in the following link. So I have the crt file and the key file. however when I add: <Virtualhost *:443> SSLEngine on ... (1 Reply)
Discussion started by: programAngel
1 Replies

4. Web Development

Apache, cgi script run twice when ssl, once when not ssl

I have interesting problem. https:/host/some/x.cgi - this script has run twice when I call this url But http:/host/some/x.cgi work fine, only once. Output is text/plain. If I change output format to the Content-type text/html, then both urls works fine - executed only once. (2 Replies)
Discussion started by: kshji
2 Replies

5. Web Development

apache ssl routing 2 dns

Hi i'm looking for some advice on apache ssl routing for 2 url.Fyi one url is certificate is verified by GeoTrust and another url on the other site certificate is verified by Verisgn.Is that possible to routing between this two url. Here is my scenario I have an https:// site running on an... (0 Replies)
Discussion started by: netxus
0 Replies

6. Web Development

Apache SSL Help

I had to update the CA Trusted Chains on two different UNIX servers running Apache. After looking through some documentation, it said that after the new CA's were installed, I had to run the /usr/ccs/bin/make command in order to create the symbolic links for apache to recognize the certs. On the... (1 Reply)
Discussion started by: camerodity
1 Replies

7. Solaris

SSL key Apache

We are running Apache 1.3 on solaris 8 we have renewed our ssl key with verisign. They have confirmed renewel and new ssl certifcate is appended to the end of the email. out apache config file has two directives SSLCertificateFile /export/home/apache/conf/ssl.crt/xxxx.crt SSLCertificationKeyFile... (2 Replies)
Discussion started by: Tirmazi
2 Replies

8. UNIX for Dummies Questions & Answers

Unix Experts Answer this INterview Questions please

1, why Boot server should be in a network in jumpstart? 2, what is the different between patch and package? 3, how to list the avilable NIC in solaris9? 4, User complaing system is slow (solaris) what are the steps to check? 5, what is hardware error and software error and Transport Error? in... (5 Replies)
Discussion started by: suresh_krish
5 Replies

9. HP-UX

Apache and SSL

When everytime I start apache, it asks me to enter pass phrase, and I have to enter the pass phrase manually. I would like to write a script to monitor the apache, such that it will check the apache status, if it is stopped, then start it automatically. However, the script fails since the pass... (1 Reply)
Discussion started by: alfredo
1 Replies

10. Solaris

Apache with SSL problem

Hi All, I'm attempting to build Apache 1.3.27 on a new Solaris 9 system. I am using following "Option 2" in the INSTALL of the mod_ssl-2.8.12-1.3.27, and I'm stumped. After I configure and make all the required components the make of the Apache server itself stops at: flex... (2 Replies)
Discussion started by: b_manu78
2 Replies
Login or Register to Ask a Question