httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From suomi <apa...@ayni.com>
Subject [users@httpd] Apache just knows about one single certificate.
Date Wed, 08 Oct 2003 14:14:12 GMT
Hi every
cellino@violina:~> /usr/local/apache2/bin/httpd -v
Server version: Apache/2.0.47
Server built:   Sep  1 2003 14:52:47
cellino@violina:~>

cellino@violina:~> uname -a
Linux violina 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown
cellino@violina:~>

i have about 40 named-virtual-hosts, about 10 of which are using SSL.  
SSL is just used to protect the transfer, not for authentication. so i 
use self-signed certificates created with
cellino@violina:~> openssl
OpenSSL> version
OpenSSL 0.9.6g [engine] 9 Aug 2002
OpenSSL>

The apache-configuration is in one directory containing http.conf, 
ssl.conf, and one file per virttual host.

webadmin 14574  0.0  1.1 39736 11396 ?       S    Oct07   0:00 
/usr/local/apache2/bin/httpd -f /usr/local/apache2/conf/virtual.servers/
webadmin 14575  0.0  1.1 39736 11396 ?       S    Oct07   0:00 
/usr/local/apache2/bin/httpd -f /usr/local/apache2/conf/virtual.servers/
...

in order to avoid that cumbersome question "...you are accessing the url 
aa.bb.cc but the certificate presented by the web-server is for the url 
dd.ee.ff. "...  i finally created certificates for each virtual host 
using SSL.

configured e.g. for one SSL virtual-host as:

SSLEngine on
SSLCertificateFile    /etc/ssl/certs/phpino.cert.pem
SSLCertificateKeyFile /etc/ssl/certs/phpino.cert.key
SSLVerifyClient none

and for a second SSL virtual-host as:

SSLEngine on
SSLCertificateFile    /etc/ssl/certs/ldap.cert.pem
SSLCertificateKeyFile /etc/ssl/certs/ldap.cert.key
SSLVerifyClient none

and so on.

To my great anger, apache just presents one single certificate out of 
the list to all virtual-hosts.

The docu tells me, that per virtual-server, you can even have two (2) 
certificates (rsa and dsa), not only one.

I checked whether the certificates are really different from one another 
and found out that they really differ in the subject line:

Subject: C=CH, ST=Zurich, L=Zurich, O=Ayni AG, OU=phpino, 
CN=phpino.ayni.com/Email=info@ayni.com

I also checked, whether all files specified in the config exist: they 
all do.

I also checked the error log file of all virtual servers whether they 
contain the well known warnings:

[Sun Mar 02 13:01:45 2003] [warn] RSA server certificate is a CA 
certificate (BasicConstraints: CA == TRUE !?)
[Sun Mar 02 13:01:45 2003] [warn] RSA server certificate CommonName (CN) 
`rosetta.ayni.com' does NOT match server name!?

No, not any more, i.e. all virtual servers are happy with their certificate.

But still, there is only one single certificate presented on all 
SSL-virtual servers.

Has anyone experienced such an angry situation? what am i doing wrong? 
what am i missing? where can i find more info? Do i need to include the 
CA certificate?

Any hint is appreciated, thanks in advance.

suomi




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message