Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (herse.apache.org: domain of krist.vanbesien@gmail.com
 designates 64.233.184.231 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=BGGlki7qVkf1Nx9Taak9/32/A/cDFG67yzDy/8KsMenBDVggWL707uyb69JXffPa57rsJ+yUzhhrfDgNpxWeU6Z/YIerINT6fxXoAAsOczfbhAAT/cF+XPVPMd8hVV7Xv41KAk/jlni9gb1uyGkPU/DApu8Gk+8OcOXbgeHZ63g=
Message-ID: <6ed6382b0701180710u1a4e0dfah771a52505731dd05@mail.gmail.com>
Date: Thu, 18 Jan 2007 16:10:25 +0100
From: "Krist van Besien" <krist.vanbesien@gmail.com>
To: users@httpd.apache.org
In-Reply-To: <8429080.post@talk.nabble.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <8429080.post@talk.nabble.com>
Subject: Re: [users@httpd] Problem with Apache + Tomcat + SSL + mod_rewrite

On 1/18/07, Tomo <tom@ukmn.com> wrote:

> https is on 8444 rather than 8443 because a plesk system is running on 8443.
> The tomcat certificate has been generated and the server.xml modified.
> Tomcat is happy serving pages on https://localhost:8444 directly so why
> would this rewrite rule fail?
>
> The mod_rewrite log has the same output (except for the urls used in the
> rewrite) for both of these rules, so thats no help.
> the ssl_error log says:
> RSA server certificate CommonName (CN) `localhost.localdomain' does NOT
> match server name!?
> the error_log has a similar warning:
> [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server
> name!?

When you connect to https://localhost:8444/  using a browser you
probably get a dialog box saying that the browser can't verify the
certificate, asking you if you want to accept the session anyway. And
I asume you click on OK then.

This is because you have a self signed cert on your tomcat server.

The problem is that when your apache server makes a https connection
with the tomcat server there is nobody around to click on "ok". So
apache, when it encounters errors in the certificate (which it does
when it is self signed) will just refuse the connection.

In this case I would really reconsider if ssl is really necessary. If
the only way the tomcat application is accesses is via the apache
server, than you don't need ssl. You can just use http for your
tomcat. It is quite common in prodcution environments (e.g. ours) that
ssl is terminated on an apache server, and than forwarded over http to
the tomcat server.

The only solution I can see if you really want https between your
apache and tomcat servers, you will need to do the following:

- Get a proper certificate. You can get one for free at cacert.org or
you can set up your own CA (which is what I did). You then need to
integrate the root certificate in to the CA store of your apache
server, so it can verify the cert. For this I refer you to the apache
documentation.

Krist

-- 
krist.vanbesien@gmail.com
Bremgarten b. Bern, Switzerland
--
"...what you don't realize is that in the future Google WILL reach
sentience, will [have had] invent[ed] a time machine, and will [have
had] travel[ed] back in time to prevent Bill Gates... only to become
Bill Gates by accident because of a search engine optimization
miscalculation." (Comment on the Dilbert Blog)

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org