Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Dec 2000 20:07:25 -0600 (CST)
From:      Ryan Thompson <ryan@sasknow.com>
To:        freebsd-isp@freebsd.org
Subject:   Annoying problem with apache-modssl certs
Message-ID:  <Pine.BSF.4.21.0012061953450.25889-100000@ren.sasknow.com>

next in thread | raw e-mail | index | archive | help

Hey all... Hope someone has seen this before...

I've got an apache-modssl server (apache 1.3.9, mod-ssl 2.4.9, openssl
0.9.4) running under FreeBSB 3.4.

A default entry is configured, using "server.crt" and "server.key", on a
default server name.

www.virtual1.tld
I successfully added one virtual host, "virtual1.crt" / "virtual2.key".
(Yes, I use a better naming convention than this :-)  Actually, that site
has been up for a while.

www.virtual2.tld
Now, on the same server, I desired to add another virtual host.  So, after
generating the key, csr, and obtaining signed .crt (Thawte), as I have
always done, and adding another virtual host entry on the same IP/port 443
in httpd.conf, and restarting the secure server, the following happens:

When I access https://www.virtual2.tld/ , I see virtual1's certificate
(i.e., the browser complains that the certificate is signed and valid, but
the common name doesn't match the site name).  In fact, the certificate is
the one for www.virtual1.tld.

https://www.virtual1.tld/ and the default server work fine.

If I accept the certificate for virtual2.tld, I actually see the correct
page for https://www.virtual2.tld/.  (I.e., a static .html page containing
"Welcome to www.virtual2.tld" :-)

Thinking that a bit strange, I swapped the order of virtual1 and virtual2
<VirtualHost w.x.y.z:443> </VirtualHost> sections.  (So, virtual2 was
listed first).  The same thing happened, only differently :-)

Accessing http://www.virtual2.tld/ (listed first in httpd.conf) correctly
used virtual2.tld's certificate.

Accessing http://www.virtual1.tld/ (listed last in httpd.conf) incorrectly
used virtual1.tld's certificate.


So, to sum this up, it appears as though:
	o My virtual host setup is correct insofar as apache will
	  return the correct index page depending on the server
	  name requested by the client.
	o Apache refuses to use anything but the FIRST certificate
	  within the FIRST <virtualhost> directive.

Strange...?

-- 
  Ryan Thompson <ryan@sasknow.com>
  Network Administrator, Accounts

  SaskNow Technologies - http://www.sasknow.com
  #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2

        Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012061953450.25889-100000>