httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacob Coby" <jc...@listingbook.com>
Subject Re: [users@httpd] Apache just knows about one single certificate.
Date Wed, 08 Oct 2003 14:32:40 GMT
You can only have one SSL certificate per IP address.  It's in the FAQ.

-Jacob


----- Original Message ----- 
From: "suomi" <apache@ayni.com>
To: <users@httpd.apache.org>
Sent: Wednesday, October 08, 2003 10:14 AM
Subject: [users@httpd] Apache just knows about one single certificate.


> Hi every
> cellino@violina:~> /usr/local/apache2/bin/httpd -v
> Server version: Apache/2.0.47
> Server built:   Sep  1 2003 14:52:47
> cellino@violina:~>
>
> cellino@violina:~> uname -a
> Linux violina 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown
> cellino@violina:~>
>
> i have about 40 named-virtual-hosts, about 10 of which are using SSL.
> SSL is just used to protect the transfer, not for authentication. so i
> use self-signed certificates created with
> cellino@violina:~> openssl
> OpenSSL> version
> OpenSSL 0.9.6g [engine] 9 Aug 2002
> OpenSSL>
>
> The apache-configuration is in one directory containing http.conf,
> ssl.conf, and one file per virttual host.
>
> webadmin 14574  0.0  1.1 39736 11396 ?       S    Oct07   0:00
> /usr/local/apache2/bin/httpd -f /usr/local/apache2/conf/virtual.servers/
> webadmin 14575  0.0  1.1 39736 11396 ?       S    Oct07   0:00
> /usr/local/apache2/bin/httpd -f /usr/local/apache2/conf/virtual.servers/
> ...
>
> in order to avoid that cumbersome question "...you are accessing the url
> aa.bb.cc but the certificate presented by the web-server is for the url
> dd.ee.ff. "...  i finally created certificates for each virtual host
> using SSL.
>
> configured e.g. for one SSL virtual-host as:
>
> SSLEngine on
> SSLCertificateFile    /etc/ssl/certs/phpino.cert.pem
> SSLCertificateKeyFile /etc/ssl/certs/phpino.cert.key
> SSLVerifyClient none
>
> and for a second SSL virtual-host as:
>
> SSLEngine on
> SSLCertificateFile    /etc/ssl/certs/ldap.cert.pem
> SSLCertificateKeyFile /etc/ssl/certs/ldap.cert.key
> SSLVerifyClient none
>
> and so on.
>
> To my great anger, apache just presents one single certificate out of
> the list to all virtual-hosts.
>
> The docu tells me, that per virtual-server, you can even have two (2)
> certificates (rsa and dsa), not only one.
>
> I checked whether the certificates are really different from one another
> and found out that they really differ in the subject line:
>
> Subject: C=CH, ST=Zurich, L=Zurich, O=Ayni AG, OU=phpino,
> CN=phpino.ayni.com/Email=info@ayni.com
>
> I also checked, whether all files specified in the config exist: they
> all do.
>
> I also checked the error log file of all virtual servers whether they
> contain the well known warnings:
>
> [Sun Mar 02 13:01:45 2003] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Sun Mar 02 13:01:45 2003] [warn] RSA server certificate CommonName (CN)
> `rosetta.ayni.com' does NOT match server name!?
>
> No, not any more, i.e. all virtual servers are happy with their
certificate.
>
> But still, there is only one single certificate presented on all
> SSL-virtual servers.
>
> Has anyone experienced such an angry situation? what am i doing wrong?
> what am i missing? where can i find more info? Do i need to include the
> CA certificate?
>
> Any hint is appreciated, thanks in advance.
>
> suomi
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message